diff options
Diffstat (limited to 'usr/src')
35 files changed, 549 insertions, 188 deletions
diff --git a/usr/src/boot/Makefile.version b/usr/src/boot/Makefile.version index a161b24487..46e00fbcea 100644 --- a/usr/src/boot/Makefile.version +++ b/usr/src/boot/Makefile.version @@ -33,4 +33,4 @@ LOADER_VERSION = 1.1 # Use date like formatting here, YYYY.MM.DD.XX, without leading zeroes. # The version is processed from left to right, the version number can only # be increased. -BOOT_VERSION = $(LOADER_VERSION)-2019.11.05.1 +BOOT_VERSION = $(LOADER_VERSION)-2019.11.06.1 diff --git a/usr/src/boot/lib/libstand/zfs/zfs.c b/usr/src/boot/lib/libstand/zfs/zfs.c index e76f1ada52..665d0b4a48 100644 --- a/usr/src/boot/lib/libstand/zfs/zfs.c +++ b/usr/src/boot/lib/libstand/zfs/zfs.c @@ -347,57 +347,107 @@ vdev_read(vdev_t *vdev __unused, void *priv, off_t offset, void *buf, size_t bytes) { int fd, ret; - size_t res, size, remainder, rb_size, blksz; - unsigned secsz; - off_t off; - char *bouncebuf, *rb_buf; + size_t res, head, tail, total_size, full_sec_size; + unsigned secsz, do_tail_read; + off_t start_sec; + char *outbuf, *bouncebuf; fd = (uintptr_t)priv; + outbuf = (char *)buf; bouncebuf = NULL; ret = ioctl(fd, DIOCGSECTORSIZE, &secsz); if (ret != 0) return (ret); - off = offset / secsz; - remainder = offset % secsz; - if (lseek(fd, off * secsz, SEEK_SET) == -1) - return (errno); - - rb_buf = buf; - rb_size = bytes; - size = roundup2(bytes + remainder, secsz); - blksz = size; - if (remainder != 0 || size != bytes) { - bouncebuf = zfs_alloc(secsz); + /* + * Handling reads of arbitrary offset and size - multi-sector case + * and single-sector case. + * + * Multi-sector Case + * (do_tail_read = true if tail > 0) + * + * |<----------------------total_size--------------------->| + * | | + * |<--head-->|<--------------bytes------------>|<--tail-->| + * | | | | + * | | |<~full_sec_size~>| | | + * +------------------+ +------------------+ + * | |0101010| . . . |0101011| | + * +------------------+ +------------------+ + * start_sec start_sec + n + * + * + * Single-sector Case + * (do_tail_read = false) + * + * |<------total_size = secsz----->| + * | | + * |<-head->|<---bytes--->|<-tail->| + * +-------------------------------+ + * | |0101010101010| | + * +-------------------------------+ + * start_sec + */ + start_sec = offset / secsz; + head = offset % secsz; + total_size = roundup2(head + bytes, secsz); + tail = total_size - (head + bytes); + do_tail_read = ((tail > 0) && (head + bytes > secsz)); + full_sec_size = total_size; + if (head > 0) + full_sec_size -= secsz; + if (do_tail_read) + full_sec_size -= secsz; + + /* Return of partial sector data requires a bounce buffer. */ + if ((head > 0) || do_tail_read) { + bouncebuf = malloc(secsz); if (bouncebuf == NULL) { printf("vdev_read: out of memory\n"); return (ENOMEM); } - rb_buf = bouncebuf; - blksz = rb_size - remainder; } - while (bytes > 0) { - res = read(fd, rb_buf, rb_size); - if (res != rb_size) { + if (lseek(fd, start_sec * secsz, SEEK_SET) == -1) { + ret = errno; + goto error; + } + + /* Partial data return from first sector */ + if (head > 0) { + res = read(fd, bouncebuf, secsz); + if (res != secsz) { + ret = EIO; + goto error; + } + memcpy(outbuf, bouncebuf + head, min(secsz - head, bytes)); + outbuf += min(secsz - head, bytes); + } + + /* Full data return from read sectors */ + if (full_sec_size > 0) { + res = read(fd, outbuf, full_sec_size); + if (res != full_sec_size) { + ret = EIO; + goto error; + } + outbuf += full_sec_size; + } + + /* Partial data return from last sector */ + if (do_tail_read) { + res = read(fd, bouncebuf, secsz); + if (res != secsz) { ret = EIO; goto error; } - if (bytes < blksz) - blksz = bytes; - if (bouncebuf != NULL) - memcpy(buf, rb_buf + remainder, blksz); - buf = (void *)((uintptr_t)buf + blksz); - bytes -= blksz; - remainder = 0; - blksz = rb_size; + memcpy(outbuf, bouncebuf, secsz - tail); } ret = 0; error: - if (bouncebuf != NULL) - zfs_free(bouncebuf, secsz); + free(bouncebuf); return (ret); } diff --git a/usr/src/boot/lib/libstand/zfs/zfsimpl.c b/usr/src/boot/lib/libstand/zfs/zfsimpl.c index fba9f1fc59..7d0d79b922 100644 --- a/usr/src/boot/lib/libstand/zfs/zfsimpl.c +++ b/usr/src/boot/lib/libstand/zfs/zfsimpl.c @@ -1106,6 +1106,7 @@ vdev_init_from_nvlist(const unsigned char *nvlist, vdev_t *pvdev, const unsigned char *kids; int nkids, i, is_new; uint64_t is_offline, is_faulted, is_degraded, is_removed, isnt_present; + uint64_t is_log; if (nvlist_find(nvlist, ZPOOL_CONFIG_GUID, DATA_TYPE_UINT64, NULL, &guid) || @@ -1129,6 +1130,7 @@ vdev_init_from_nvlist(const unsigned char *nvlist, vdev_t *pvdev, } is_offline = is_removed = is_faulted = is_degraded = isnt_present = 0; + is_log = 0; nvlist_find(nvlist, ZPOOL_CONFIG_OFFLINE, DATA_TYPE_UINT64, NULL, &is_offline); @@ -1140,6 +1142,8 @@ vdev_init_from_nvlist(const unsigned char *nvlist, vdev_t *pvdev, &is_degraded); nvlist_find(nvlist, ZPOOL_CONFIG_NOT_PRESENT, DATA_TYPE_UINT64, NULL, &isnt_present); + nvlist_find(nvlist, ZPOOL_CONFIG_IS_LOG, DATA_TYPE_UINT64, NULL, + &is_log); vdev = vdev_find(guid); if (!vdev) { @@ -1226,6 +1230,7 @@ vdev_init_from_nvlist(const unsigned char *nvlist, vdev_t *pvdev, return (ENOMEM); vdev->v_name = name; } + vdev->v_islog = is_log == 1; } else { is_new = 0; } @@ -1429,6 +1434,12 @@ vdev_status(vdev_t *vdev, int indent) { vdev_t *kid; int ret; + + if (vdev->v_islog) { + (void)pager_output(" logs\n"); + indent++; + } + ret = print_state(indent, vdev->v_name, vdev->v_state); if (ret != 0) return (ret); @@ -1759,12 +1770,6 @@ vdev_probe(vdev_phys_read_t *phys_read, void *read_priv, spa_t **spap) return (EIO); } - if (nvlist_find(nvlist, ZPOOL_CONFIG_IS_LOG, DATA_TYPE_UINT64, - NULL, &val) == 0 && val != 0) { - free(nvlist); - return (EIO); - } - /* * Create the pool if this is the first time we've seen it. */ @@ -1839,6 +1844,9 @@ vdev_probe(vdev_phys_read_t *phys_read, void *read_priv, spa_t **spap) return (EIO); } + if (vdev->v_islog) + spa->spa_with_log = vdev->v_islog; + /* Record boot vdev for spa. */ if (is_newer == 1) spa->spa_boot_vdev = vdev; diff --git a/usr/src/boot/sys/cddl/boot/zfs/zfsimpl.h b/usr/src/boot/sys/cddl/boot/zfs/zfsimpl.h index 8f45983761..6b629f8fe5 100644 --- a/usr/src/boot/sys/cddl/boot/zfs/zfsimpl.h +++ b/usr/src/boot/sys/cddl/boot/zfs/zfsimpl.h @@ -1770,6 +1770,7 @@ typedef struct vdev { vdev_phys_read_t *v_phys_read; /* read from raw leaf vdev */ vdev_read_t *v_read; /* read from vdev */ void *v_read_priv; /* private data for read function */ + boolean_t v_islog; struct spa *spa; /* link to spa */ /* * Values stored in the config for an indirect or removing vdev. @@ -1795,6 +1796,7 @@ typedef struct spa { void *spa_cksum_tmpls[ZIO_CHECKSUM_FUNCTIONS]; int spa_inited; /* initialized */ vdev_t *spa_boot_vdev; /* boot device for kernel */ + boolean_t spa_with_log; /* this pool has log */ } spa_t; /* IO related arguments. */ diff --git a/usr/src/cmd/idmap/idmapd/idmap_lsa.c b/usr/src/cmd/idmap/idmapd/idmap_lsa.c index 28c6c2755e..12296e822c 100644 --- a/usr/src/cmd/idmap/idmapd/idmap_lsa.c +++ b/usr/src/cmd/idmap/idmapd/idmap_lsa.c @@ -21,7 +21,7 @@ /* * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2014 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ /* @@ -83,9 +83,9 @@ lookup_lsa_by_sid( (void) snprintf(sid, sizeof (sid), "%s-%u", sidprefix, rid); - rc = smb_lookup_sid(sid, &acct); + rc = smb_lookup_lsid(sid, &acct); if (rc != 0) { - idmapdlog(LOG_ERR, "Error: smb_lookup_sid failed."); + idmapdlog(LOG_ERR, "Error: SMB lookup SID failed."); idmapdlog(LOG_ERR, "Check SMB service (svc:/network/smb/server)."); idmapdlog(LOG_ERR, @@ -100,7 +100,7 @@ lookup_lsa_by_sid( } if (acct.a_status != NT_STATUS_SUCCESS) { idmapdlog(LOG_WARNING, - "Warning: smb_lookup_sid(%s) failed (0x%x)", + "Warning: SMB lookup SID(%s) failed (0x%x)", sid, acct.a_status); /* Fail soft */ ret = IDMAP_ERR_NOTFOUND; @@ -167,9 +167,9 @@ lookup_lsa_by_name( goto out; } - rc = smb_lookup_name(namedom, SidTypeUnknown, &acct); + rc = smb_lookup_lname(namedom, SidTypeUnknown, &acct); if (rc != 0) { - idmapdlog(LOG_ERR, "Error: smb_lookup_name failed."); + idmapdlog(LOG_ERR, "Error: SMB lookup name failed."); idmapdlog(LOG_ERR, "Check SMB service (svc:/network/smb/server)."); idmapdlog(LOG_ERR, @@ -183,7 +183,7 @@ lookup_lsa_by_name( } if (acct.a_status != NT_STATUS_SUCCESS) { idmapdlog(LOG_WARNING, - "Warning: smb_lookup_name(%s) failed (0x%x)", + "Warning: SMB lookup name(%s) failed (0x%x)", namedom, acct.a_status); /* Fail soft */ ret = IDMAP_ERR_NOTFOUND; diff --git a/usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c b/usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c index 4195a62149..7fc4ec3afc 100644 --- a/usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c +++ b/usr/src/cmd/mdb/common/modules/smbsrv/smbsrv.c @@ -21,7 +21,7 @@ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2017 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ #include <mdb/mdb_modapi.h> @@ -1409,6 +1409,12 @@ user_priv_bits[] = { { "CHANGE_NOTIFY", SMB_USER_PRIV_CHANGE_NOTIFY, SMB_USER_PRIV_CHANGE_NOTIFY }, + { "READ_FILE", + SMB_USER_PRIV_READ_FILE, + SMB_USER_PRIV_READ_FILE }, + { "WRITE_FILE", + SMB_USER_PRIV_WRITE_FILE, + SMB_USER_PRIV_WRITE_FILE }, { NULL, 0, 0 } }; diff --git a/usr/src/cmd/ptools/ptree/ptree.c b/usr/src/cmd/ptools/ptree/ptree.c index 83f9c3c7e1..82a32bf46c 100644 --- a/usr/src/cmd/ptools/ptree/ptree.c +++ b/usr/src/cmd/ptools/ptree/ptree.c @@ -90,6 +90,7 @@ static int aflag = 0; static int cflag = 0; static int gflag = 0; static int sflag = 0; +static int wflag = 0; static int zflag = 0; static zoneid_t zoneid; static char *match_svc; @@ -149,6 +150,8 @@ usage(void) (void) fprintf(stderr, " -s : print only processes with given service FMRI\n"); (void) fprintf(stderr, + " -w : allow lines to wrap instead of truncating\n"); + (void) fprintf(stderr, " -z : print only processes in given zone\n"); exit(2); } @@ -164,7 +167,7 @@ main(int argc, char **argv) ps_t *p; /* options */ - while ((opt = getopt(argc, argv, "acgs:z:")) != EOF) { + while ((opt = getopt(argc, argv, "acgs:wz:")) != EOF) { switch (opt) { case 'a': /* include children of process 0 */ aflag = 1; @@ -180,6 +183,9 @@ main(int argc, char **argv) sflag = 1; match_svc = parse_svc(optarg, &match_inst); break; + case 'w': + wflag = 1; + break; case 'z': /* only processes in given zone */ zflag = 1; zoneid = getzone(optarg); @@ -196,8 +202,10 @@ main(int argc, char **argv) if (errflg) usage(); - columns = get_termwidth(); - VERIFY3S(columns, >, 0); + if (!wflag) { + columns = get_termwidth(); + VERIFY3S(columns, >, 0); + } nps = 0; psize = 0; @@ -334,8 +342,14 @@ printone(ps_t *p, int level) if (p->done && !FAKEDPID0(p)) { indent = level * 2; - if ((n = columns - PIDWIDTH - indent - 2) < 0) - n = 0; + + if (wflag) { + n = strlen(p->psargs); + } else { + if ((n = columns - PIDWIDTH - indent - 2) < 0) + n = 0; + } + printlines(p, level); if (p->pid >= 0) { (void) printf("%-*d %.*s\n", PIDWIDTH, (int)p->pid, n, diff --git a/usr/src/cmd/smbsrv/smbadm/smbadm.c b/usr/src/cmd/smbsrv/smbadm/smbadm.c index d8509aecdf..4d06c00b36 100644 --- a/usr/src/cmd/smbsrv/smbadm/smbadm.c +++ b/usr/src/cmd/smbsrv/smbadm/smbadm.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2017 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -178,6 +178,10 @@ static smbadm_prop_handle_t *smbadm_prop_gethandle(char *pname); static boolean_t smbadm_chkprop_priv(smbadm_prop_t *prop); static int smbadm_setprop_tkowner(char *gname, smbadm_prop_t *prop); static int smbadm_getprop_tkowner(char *gname, smbadm_prop_t *prop); +static int smbadm_setprop_readfile(char *gname, smbadm_prop_t *prop); +static int smbadm_getprop_readfile(char *gname, smbadm_prop_t *prop); +static int smbadm_setprop_writefile(char *gname, smbadm_prop_t *prop); +static int smbadm_getprop_writefile(char *gname, smbadm_prop_t *prop); static int smbadm_setprop_backup(char *gname, smbadm_prop_t *prop); static int smbadm_getprop_backup(char *gname, smbadm_prop_t *prop); static int smbadm_setprop_restore(char *gname, smbadm_prop_t *prop); @@ -192,6 +196,10 @@ static smbadm_prop_handle_t smbadm_ptable[] = { smbadm_getprop_restore, smbadm_chkprop_priv }, {"take-ownership", "on|off", smbadm_setprop_tkowner, smbadm_getprop_tkowner, smbadm_chkprop_priv }, + {"bypass-read", "on|off", smbadm_setprop_readfile, + smbadm_getprop_readfile, smbadm_chkprop_priv }, + {"bypass-write", "on|off", smbadm_setprop_writefile, + smbadm_getprop_writefile, smbadm_chkprop_priv }, {"description", "<string>", smbadm_setprop_desc, smbadm_getprop_desc, NULL }, }; @@ -1807,6 +1815,30 @@ smbadm_getprop_tkowner(char *gname, smbadm_prop_t *prop) } static int +smbadm_setprop_readfile(char *gname, smbadm_prop_t *prop) +{ + return (smbadm_group_setpriv(gname, SE_READ_FILE_LUID, prop)); +} + +static int +smbadm_getprop_readfile(char *gname, smbadm_prop_t *prop) +{ + return (smbadm_group_getpriv(gname, SE_READ_FILE_LUID, prop)); +} + +static int +smbadm_setprop_writefile(char *gname, smbadm_prop_t *prop) +{ + return (smbadm_group_setpriv(gname, SE_WRITE_FILE_LUID, prop)); +} + +static int +smbadm_getprop_writefile(char *gname, smbadm_prop_t *prop) +{ + return (smbadm_group_getpriv(gname, SE_WRITE_FILE_LUID, prop)); +} + +static int smbadm_setprop_backup(char *gname, smbadm_prop_t *prop) { return (smbadm_group_setpriv(gname, SE_BACKUP_LUID, prop)); diff --git a/usr/src/cmd/smbsrv/smbd/smbd_doorsvc.c b/usr/src/cmd/smbsrv/smbd/smbd_doorsvc.c index e13f271e51..4434dc2b29 100644 --- a/usr/src/cmd/smbsrv/smbd/smbd_doorsvc.c +++ b/usr/src/cmd/smbsrv/smbd/smbd_doorsvc.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2014 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ #include <sys/list.h> @@ -103,7 +103,9 @@ smbd_doorop_t smbd_doorops[] = { { SMB_DR_DFS_GET_REFERRALS, smbd_dop_dfs_get_referrals }, { SMB_DR_SHR_HOSTACCESS, smbd_dop_shr_hostaccess }, { SMB_DR_SHR_EXEC, smbd_dop_shr_exec }, - { SMB_DR_NOTIFY_DC_CHANGED, smbd_dop_notify_dc_changed } + { SMB_DR_NOTIFY_DC_CHANGED, smbd_dop_notify_dc_changed }, + { SMB_DR_LOOKUP_LSID, smbd_dop_lookup_sid }, + { SMB_DR_LOOKUP_LNAME, smbd_dop_lookup_name } }; static int smbd_ndoorop = (sizeof (smbd_doorops) / sizeof (smbd_doorops[0])); @@ -581,6 +583,10 @@ smbd_dop_user_auth_logon(smbd_arg_t *arg) return (SMB_DOP_EMPTYBUF); } +/* + * SMB_DR_LOOKUP_NAME, + * SMB_DR_LOOKUP_LNAME (local-only, for idmap) + */ static int smbd_dop_lookup_name(smbd_arg_t *arg) { @@ -604,7 +610,24 @@ smbd_dop_lookup_name(smbd_arg_t *arg) (void) snprintf(buf, MAXNAMELEN, "%s\\%s", acct.a_domain, acct.a_name); - acct.a_status = lsa_lookup_name(buf, acct.a_sidtype, &ainfo); + switch (arg->hdr.dh_op) { + case SMB_DR_LOOKUP_NAME: + acct.a_status = lsa_lookup_name(buf, acct.a_sidtype, &ainfo); + break; + + case SMB_DR_LOOKUP_LNAME: + /* + * Basically for idmap. Don't call out to AD. + */ + acct.a_status = lsa_lookup_lname(buf, acct.a_sidtype, &ainfo); + break; + + default: + assert(!"arg->hdr.dh_op"); + acct.a_status = NT_STATUS_INTERNAL_ERROR; + break; + } + if (acct.a_status == NT_STATUS_SUCCESS) { acct.a_sidtype = ainfo.a_type; smb_sid_tostr(ainfo.a_sid, acct.a_sid); @@ -626,6 +649,10 @@ smbd_dop_lookup_name(smbd_arg_t *arg) return (SMB_DOP_SUCCESS); } +/* + * SMB_DR_LOOKUP_SID, + * SMB_DR_LOOKUP_LSID (local-only, for idmap) + */ static int smbd_dop_lookup_sid(smbd_arg_t *arg) { @@ -641,7 +668,25 @@ smbd_dop_lookup_sid(smbd_arg_t *arg) return (SMB_DOP_DECODE_ERROR); sid = smb_sid_fromstr(acct.a_sid); - acct.a_status = lsa_lookup_sid(sid, &ainfo); + + switch (arg->hdr.dh_op) { + case SMB_DR_LOOKUP_SID: + acct.a_status = lsa_lookup_sid(sid, &ainfo); + break; + + case SMB_DR_LOOKUP_LSID: + /* + * Basically for idmap. Don't call out to AD. + */ + acct.a_status = lsa_lookup_lsid(sid, &ainfo); + break; + + default: + assert(!"arg->hdr.dh_op"); + acct.a_status = NT_STATUS_INTERNAL_ERROR; + break; + } + smb_sid_free(sid); if (acct.a_status == NT_STATUS_SUCCESS) { diff --git a/usr/src/lib/smbsrv/libmlsvc/common/libmlsvc.h b/usr/src/lib/smbsrv/libmlsvc/common/libmlsvc.h index 1992857bdc..14cbf858c4 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/libmlsvc.h +++ b/usr/src/lib/smbsrv/libmlsvc/common/libmlsvc.h @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2017 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ #ifndef _LIBMLSVC_H @@ -65,7 +65,9 @@ extern "C" { #endif uint32_t lsa_lookup_name(char *, uint16_t, smb_account_t *); +uint32_t lsa_lookup_lname(char *, uint16_t, smb_account_t *); uint32_t lsa_lookup_sid(smb_sid_t *, smb_account_t *); +uint32_t lsa_lookup_lsid(smb_sid_t *, smb_account_t *); /* * SMB domain API to discover a domain controller and obtain domain diff --git a/usr/src/lib/smbsrv/libmlsvc/common/lsalib.c b/usr/src/lib/smbsrv/libmlsvc/common/lsalib.c index 47b9466fb4..49fb4d1e29 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/lsalib.c +++ b/usr/src/lib/smbsrv/libmlsvc/common/lsalib.c @@ -21,7 +21,7 @@ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2016 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ /* @@ -38,6 +38,10 @@ #include <lsalib.h> +static uint32_t lsa_lookup_name_int(char *, uint16_t, smb_account_t *, + boolean_t); +static uint32_t lsa_lookup_sid_int(smb_sid_t *, smb_account_t *, boolean_t); + static uint32_t lsa_lookup_name_builtin(char *, char *, smb_account_t *); static uint32_t lsa_lookup_name_domain(char *, smb_account_t *); @@ -75,6 +79,20 @@ static uint32_t lsa_map_status(uint32_t); uint32_t lsa_lookup_name(char *account, uint16_t type, smb_account_t *info) { + return (lsa_lookup_name_int(account, type, info, B_TRUE)); +} + +/* Variant that avoids the call out to AD. */ +uint32_t +lsa_lookup_lname(char *account, uint16_t type, smb_account_t *info) +{ + return (lsa_lookup_name_int(account, type, info, B_FALSE)); +} + +uint32_t +lsa_lookup_name_int(char *account, uint16_t type, smb_account_t *info, + boolean_t try_ad) +{ char nambuf[SMB_USERNAME_MAXLEN]; char dombuf[SMB_PI_MAX_DOMAIN]; char *name, *domain; @@ -107,8 +125,10 @@ lsa_lookup_name(char *account, uint16_t type, smb_account_t *info) if (status == NT_STATUS_SUCCESS) return (status); - if ((domain == NULL) || (status == NT_STATUS_NOT_FOUND)) + if (try_ad && ((domain == NULL) || + (status == NT_STATUS_NOT_FOUND))) { status = lsa_lookup_name_domain(account, info); + } } return ((status == NT_STATUS_SUCCESS) ? status : NT_STATUS_NONE_MAPPED); @@ -117,6 +137,19 @@ lsa_lookup_name(char *account, uint16_t type, smb_account_t *info) uint32_t lsa_lookup_sid(smb_sid_t *sid, smb_account_t *info) { + return (lsa_lookup_sid_int(sid, info, B_TRUE)); +} + +/* Variant that avoids the call out to AD. */ +uint32_t +lsa_lookup_lsid(smb_sid_t *sid, smb_account_t *info) +{ + return (lsa_lookup_sid_int(sid, info, B_FALSE)); +} + +static uint32_t +lsa_lookup_sid_int(smb_sid_t *sid, smb_account_t *info, boolean_t try_ad) +{ uint32_t status; if (!smb_sid_isvalid(sid)) @@ -125,8 +158,9 @@ lsa_lookup_sid(smb_sid_t *sid, smb_account_t *info) status = lsa_lookup_sid_builtin(sid, info); if (status == NT_STATUS_NOT_FOUND) { status = smb_sam_lookup_sid(sid, info); - if (status == NT_STATUS_NOT_FOUND) + if (try_ad && status == NT_STATUS_NOT_FOUND) { status = lsa_lookup_sid_domain(sid, info); + } } return ((status == NT_STATUS_SUCCESS) ? status : NT_STATUS_NONE_MAPPED); diff --git a/usr/src/lib/smbsrv/libmlsvc/common/lsalib.h b/usr/src/lib/smbsrv/libmlsvc/common/lsalib.h index c26eab4a13..c3599849fc 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/lsalib.h +++ b/usr/src/lib/smbsrv/libmlsvc/common/lsalib.h @@ -52,8 +52,6 @@ typedef struct mslsa_sid lsa_sid_t; /* * lsalib.c */ -uint32_t lsa_lookup_name(char *, uint16_t, smb_account_t *); -uint32_t lsa_lookup_sid(smb_sid_t *, smb_account_t *); DWORD lsa_query_primary_domain_info(char *, char *, smb_domain_t *); DWORD lsa_query_account_domain_info(char *, char *, smb_domain_t *); DWORD lsa_query_dns_domain_info(char *, char *, smb_domain_t *); diff --git a/usr/src/lib/smbsrv/libmlsvc/common/mapfile-vers b/usr/src/lib/smbsrv/libmlsvc/common/mapfile-vers index 81005ae939..80317f002c 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/mapfile-vers +++ b/usr/src/lib/smbsrv/libmlsvc/common/mapfile-vers @@ -20,7 +20,7 @@ # # # Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. -# Copyright 2018 Nexenta Systems, Inc. All rights reserved. +# Copyright 2019 Nexenta Systems, Inc. All rights reserved. # # @@ -45,6 +45,8 @@ SYMBOL_VERSION SUNWprivate { dfs_info_free; dssetup_check_service; dssetup_clear_domain_info; + lsa_lookup_lname; + lsa_lookup_lsid; lsa_lookup_name; lsa_lookup_sid; mlsvc_disconnect; diff --git a/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c b/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c index af6ab58a1d..4e2cfc5518 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c +++ b/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c @@ -21,7 +21,7 @@ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -56,7 +56,6 @@ static void netr_network_samlogon(ndr_heap_t *, netr_info_t *, smb_logon_t *, struct netr_logon_info2 *); static void netr_setup_identity(ndr_heap_t *, smb_logon_t *, netr_logon_id_t *); -static boolean_t netr_isadmin(struct netr_validation_info3 *); static uint32_t netr_setup_domain_groups(struct netr_validation_info3 *, smb_ids_t *); static uint32_t netr_setup_krb5res_groups(struct krb5_validation_info *, @@ -818,7 +817,7 @@ netr_setup_identity(ndr_heap_t *heap, smb_logon_t *user_info, * token. Called after domain groups have been added. */ static uint32_t -netr_setup_token_wingrps(struct netr_validation_info3 *info3, +netr_setup_token_wingrps(struct netr_validation_info3 *info3 __unused, smb_token_t *token) { uint32_t status; @@ -828,9 +827,6 @@ netr_setup_token_wingrps(struct netr_validation_info3 *info3, if (status != NT_STATUS_SUCCESS) return (status); - if (netr_isadmin(info3)) - token->tkn_flags |= SMB_ATF_ADMIN; - status = smb_wka_token_groups(token->tkn_flags, &token->tkn_win_grps); return (status); @@ -923,30 +919,3 @@ static uint32_t netr_setup_krb5res_groups(struct krb5_validation_info *info, return (0); } - -/* - * Determines if the given user is the domain Administrator or a - * member of Domain Admins - */ -static boolean_t -netr_isadmin(struct netr_validation_info3 *info3) -{ - smb_domain_t di; - int i; - - if (!smb_domain_lookup_sid((smb_sid_t *)info3->LogonDomainId, &di)) - return (B_FALSE); - - if (di.di_type != SMB_DOMAIN_PRIMARY) - return (B_FALSE); - - if ((info3->UserId == DOMAIN_USER_RID_ADMIN) || - (info3->PrimaryGroupId == DOMAIN_GROUP_RID_ADMINS)) - return (B_TRUE); - - for (i = 0; i < info3->GroupCount; i++) - if (info3->GroupIds[i].rid == DOMAIN_GROUP_RID_ADMINS) - return (B_TRUE); - - return (B_FALSE); -} diff --git a/usr/src/lib/smbsrv/libsmb/common/libsmb.h b/usr/src/lib/smbsrv/libsmb/common/libsmb.h index 11a764f0dc..dcfe696157 100644 --- a/usr/src/lib/smbsrv/libsmb/common/libsmb.h +++ b/usr/src/lib/smbsrv/libsmb/common/libsmb.h @@ -21,7 +21,7 @@ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ #ifndef _LIBSMB_H @@ -722,7 +722,9 @@ boolean_t smb_lgrp_itererror(smb_giter_t *); int smb_lgrp_iterate(smb_giter_t *, smb_group_t *); int smb_lookup_sid(const char *, lsa_account_t *); +int smb_lookup_lsid(const char *, lsa_account_t *); int smb_lookup_name(const char *, sid_type_t, lsa_account_t *); +int smb_lookup_lname(const char *, sid_type_t, lsa_account_t *); #define SMB_LGRP_SUCCESS 0 #define SMB_LGRP_INVALID_ARG 1 diff --git a/usr/src/lib/smbsrv/libsmb/common/mapfile-vers b/usr/src/lib/smbsrv/libsmb/common/mapfile-vers index 507165ade8..c8c5f3c4e2 100644 --- a/usr/src/lib/smbsrv/libsmb/common/mapfile-vers +++ b/usr/src/lib/smbsrv/libsmb/common/mapfile-vers @@ -19,7 +19,7 @@ # # # Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. -# Copyright 2017 Nexenta Systems, Inc. All rights reserved. +# Copyright 2019 Nexenta Systems, Inc. All rights reserved. # # @@ -268,6 +268,8 @@ SYMBOL_VERSION SUNWprivate { smb_logon_decode; smb_logon_free; smb_logon_xdr; + smb_lookup_lname; + smb_lookup_lsid; smb_lookup_name; smb_lookup_sid; smb_match_netlogon_seqnum; diff --git a/usr/src/lib/smbsrv/libsmb/common/smb_doorclnt.c b/usr/src/lib/smbsrv/libsmb/common/smb_doorclnt.c index dfbbfd0483..96702e4c7d 100644 --- a/usr/src/lib/smbsrv/libsmb/common/smb_doorclnt.c +++ b/usr/src/lib/smbsrv/libsmb/common/smb_doorclnt.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2015 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ #include <assert.h> @@ -44,6 +44,9 @@ static int smb_door_decode(smb_doorarg_t *); static void smb_door_sethdr(smb_doorhdr_t *, uint32_t, uint32_t); static boolean_t smb_door_chkhdr(smb_doorarg_t *, smb_doorhdr_t *); static void smb_door_free(door_arg_t *arg); +static int smb_lookup_name_int(const char *name, sid_type_t sidtype, + lsa_account_t *acct, int); +static int smb_lookup_sid_int(const char *sid, lsa_account_t *acct, int); /* * Given a SID, make a door call to get the associated name. @@ -57,6 +60,20 @@ static void smb_door_free(door_arg_t *arg); int smb_lookup_sid(const char *sid, lsa_account_t *acct) { + return (smb_lookup_sid_int(sid, acct, SMB_DR_LOOKUP_SID)); +} +/* + * Variant of smb_lookup_sid to do a "local-only" lookup. + */ +int +smb_lookup_lsid(const char *sid, lsa_account_t *acct) +{ + return (smb_lookup_sid_int(sid, acct, SMB_DR_LOOKUP_LSID)); +} + +static int +smb_lookup_sid_int(const char *sid, lsa_account_t *acct, int dop) +{ int rc; assert((sid != NULL) && (acct != NULL)); @@ -64,7 +81,7 @@ smb_lookup_sid(const char *sid, lsa_account_t *acct) bzero(acct, sizeof (lsa_account_t)); (void) strlcpy(acct->a_sid, sid, SMB_SID_STRSZ); - rc = smb_door_call(SMB_DR_LOOKUP_SID, acct, lsa_account_xdr, + rc = smb_door_call(dop, acct, lsa_account_xdr, acct, lsa_account_xdr); if (rc != 0) @@ -84,6 +101,19 @@ smb_lookup_sid(const char *sid, lsa_account_t *acct) int smb_lookup_name(const char *name, sid_type_t sidtype, lsa_account_t *acct) { + return (smb_lookup_name_int(name, sidtype, acct, SMB_DR_LOOKUP_NAME)); +} + +int +smb_lookup_lname(const char *name, sid_type_t sidtype, lsa_account_t *acct) +{ + return (smb_lookup_name_int(name, sidtype, acct, SMB_DR_LOOKUP_LNAME)); +} + +static int +smb_lookup_name_int(const char *name, sid_type_t sidtype, lsa_account_t *acct, + int dop) +{ char tmp[MAXNAMELEN]; char *dp = NULL; char *np = NULL; @@ -104,7 +134,7 @@ smb_lookup_name(const char *name, sid_type_t sidtype, lsa_account_t *acct) (void) strlcpy(acct->a_name, name, MAXNAMELEN); } - rc = smb_door_call(SMB_DR_LOOKUP_NAME, acct, lsa_account_xdr, + rc = smb_door_call(dop, acct, lsa_account_xdr, acct, lsa_account_xdr); if (rc != 0) diff --git a/usr/src/lib/smbsrv/libsmb/common/smb_lgrp.c b/usr/src/lib/smbsrv/libsmb/common/smb_lgrp.c index 4ff589bb7c..1fb0adc03c 100644 --- a/usr/src/lib/smbsrv/libsmb/common/smb_lgrp.c +++ b/usr/src/lib/smbsrv/libsmb/common/smb_lgrp.c @@ -22,7 +22,7 @@ /* * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013 RackTop Systems. - * Copyright 2016 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ #include <stdlib.h> @@ -2398,6 +2398,8 @@ smb_lgrp_set_default_privs(smb_group_t *grp) { if (smb_strcasecmp(grp->sg_name, "Administrators", 0) == 0) { smb_privset_enable(grp->sg_privs, SE_TAKE_OWNERSHIP_LUID); + smb_privset_enable(grp->sg_privs, SE_BACKUP_LUID); + smb_privset_enable(grp->sg_privs, SE_RESTORE_LUID); return; } diff --git a/usr/src/lib/smbsrv/libsmb/common/smb_privilege.c b/usr/src/lib/smbsrv/libsmb/common/smb_privilege.c index 2b60a8d549..2b319d53ee 100644 --- a/usr/src/lib/smbsrv/libsmb/common/smb_privilege.c +++ b/usr/src/lib/smbsrv/libsmb/common/smb_privilege.c @@ -21,6 +21,8 @@ /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. + * + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -79,7 +81,11 @@ static smb_privinfo_t priv_table[] = { "Modify firmware environment values", 0 }, { 23, SE_CHANGE_NOTIFY_NAME, "Bypass traverse checking", 0 }, { 24, SE_REMOTE_SHUTDOWN_NAME, - "Force shutdown from a remote system", 0 } + "Force shutdown from a remote system", 0 }, + { 25, SE_READ_FILE_NAME, + "Bypass ACL for READ access", PF_PRESENTABLE }, + { 26, SE_WRITE_FILE_NAME, + "Bypass ACL for WRITE and DELETE access", PF_PRESENTABLE }, }; /* diff --git a/usr/src/man/man1/ptree.1 b/usr/src/man/man1/ptree.1 index d603584e4c..c812b38612 100644 --- a/usr/src/man/man1/ptree.1 +++ b/usr/src/man/man1/ptree.1 @@ -4,12 +4,12 @@ .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] -.TH PTREE 1 "Oct 30, 2019" +.TH PTREE 1 "Nov 13, 2019" .SH NAME ptree \- print process trees .SH SYNOPSIS .nf -\fB/usr/bin/ptree\fR [\fB-a\fR] [\fB-c\fR] [\fB-g\fR] [\fB-s\fR \fIsvc\fR] [\fB-z\fR \fIzone\fR] [\fIpid\fR | \fIuser\fR]... +\fB/usr/bin/ptree\fR [\fB-a\fR] [\fB-c\fR] [\fB-g\fR] [\fB-w\fR] [\fB-s\fR \fIsvc\fR] [\fB-z\fR \fIzone\fR] [\fIpid\fR | \fIuser\fR]... .fi .SH DESCRIPTION @@ -65,6 +65,16 @@ See \fBprocess\fR(4). .sp .ne 2 .na +\fB\fB-w\fR\fR +.ad +.RS 11n +Allow output lines to wrap. Normally output lines are truncated to the current +width of the terminal window. +.RE + +.sp +.ne 2 +.na \fB\fB-z\fR \fIzone\fR\fR .ad .RS 11n diff --git a/usr/src/man/man1m/smbadm.1m b/usr/src/man/man1m/smbadm.1m index bee77ccf28..10da14181f 100644 --- a/usr/src/man/man1m/smbadm.1m +++ b/usr/src/man/man1m/smbadm.1m @@ -16,9 +16,9 @@ .\" .\" .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. -.\" Copyright 2017 Nexenta Systems, Inc. +.\" Copyright 2019 Nexenta by DDN, Inc. All rights reserved. .\" -.Dd November 18, 2017 +.Dd June 6, 2019 .Dt SMBADM 1M .Os .Sh NAME @@ -252,6 +252,10 @@ to restore file system objects. .It Cm take-ownership Ns = Ns Cm on Ns | Ns Cm off Specifies whether members of the SMB local group can take ownership of file system objects. +.It Cm bypass-read Ns = Ns Cm on Ns | Ns Cm off +Specifies whether members of the SMB local group can always bypass Read access controls. +.It Cm bypass-write Ns = Ns Cm on Ns | Ns Cm off +Specifies whether members of the SMB local group can always bypass Write and Delete access controls. .El .It Xo .Cm add-member diff --git a/usr/src/uts/common/fs/smbsrv/smb2_dispatch.c b/usr/src/uts/common/fs/smbsrv/smb2_dispatch.c index e562eb5200..9010e3a181 100644 --- a/usr/src/uts/common/fs/smbsrv/smb2_dispatch.c +++ b/usr/src/uts/common/fs/smbsrv/smb2_dispatch.c @@ -10,7 +10,7 @@ */ /* - * Copyright 2017 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. * Copyright 2019 RackTop Systems. */ @@ -823,18 +823,21 @@ cmd_start: */ if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0 && !sr->encrypted && sr->uid_user != NULL && - (sr->uid_user->u_sign_flags & SMB_SIGNING_CHECK) != 0) { + (sr->uid_user->u_sign_flags & SMB_SIGNING_ENABLED) != 0) { /* - * This request type should be signed, and - * we're configured to require signatures. + * If the request is signed, check the signature. + * Otherwise, if signing is required, deny access. */ - if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) == 0) { - smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED); - goto cmd_done; - } - rc = smb2_sign_check_request(sr); - if (rc != 0) { - DTRACE_PROBE1(smb2__sign__check, smb_request_t *, sr); + if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) { + rc = smb2_sign_check_request(sr); + if (rc != 0) { + DTRACE_PROBE1(smb2__sign__check, + smb_request_t *, sr); + smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED); + goto cmd_done; + } + } else if ( + (sr->uid_user->u_sign_flags & SMB_SIGNING_CHECK) != 0) { smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED); goto cmd_done; } diff --git a/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c b/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c index e01edfaea3..e8d8419f93 100644 --- a/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c +++ b/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c @@ -10,7 +10,7 @@ */ /* - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. * Copyright 2019 RackTop Systems. */ @@ -472,8 +472,7 @@ smb2_nego_validate(smb_request_t *sr, smb_fsctl_t *fsctl) /* * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here * and verify that the original negotiate was not modified. - * The only tampering we need worry about is secmode, and - * we're not taking that from the client, so don't bother. + * The request MUST be signed, and we MUST validate the signature. * * One interesting requirement here is that we MUST reply * with exactly the same information as we returned in our @@ -486,6 +485,9 @@ smb2_nego_validate(smb_request_t *sr, smb_fsctl_t *fsctl) uint16_t secmode, num_dialects, dialects[8]; uint8_t clnt_guid[16]; + if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) == 0) + goto drop; + if (fsctl->InputCount < 24) goto drop; diff --git a/usr/src/uts/common/fs/smbsrv/smb_authenticate.c b/usr/src/uts/common/fs/smbsrv/smb_authenticate.c index af9f5d271f..64f26363a6 100644 --- a/usr/src/uts/common/fs/smbsrv/smb_authenticate.c +++ b/usr/src/uts/common/fs/smbsrv/smb_authenticate.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -544,6 +544,12 @@ smb_priv_xlate(smb_token_t *token) if (smb_token_query_privilege(token, SE_CHANGE_NOTIFY_LUID)) privileges |= SMB_USER_PRIV_CHANGE_NOTIFY; + if (smb_token_query_privilege(token, SE_READ_FILE_LUID)) + privileges |= SMB_USER_PRIV_READ_FILE; + + if (smb_token_query_privilege(token, SE_WRITE_FILE_LUID)) + privileges |= SMB_USER_PRIV_WRITE_FILE; + return (privileges); } diff --git a/usr/src/uts/common/fs/smbsrv/smb_common_open.c b/usr/src/uts/common/fs/smbsrv/smb_common_open.c index 0ef06a3c3e..8007463ba1 100644 --- a/usr/src/uts/common/fs/smbsrv/smb_common_open.c +++ b/usr/src/uts/common/fs/smbsrv/smb_common_open.c @@ -543,6 +543,13 @@ smb_common_open(smb_request_t *sr) (op->create_disposition == FILE_OVERWRITE)) op->desired_access |= FILE_WRITE_DATA; + /* Dataset roots can't be deleted, so don't set DOC */ + if ((op->create_options & FILE_DELETE_ON_CLOSE) != 0 && + (fnode->flags & NODE_FLAGS_VFSROOT) != 0) { + status = NT_STATUS_CANNOT_DELETE; + goto errout; + } + status = smb_fsop_access(sr, sr->user_cr, fnode, op->desired_access); if (status != NT_STATUS_SUCCESS) diff --git a/usr/src/uts/common/fs/smbsrv/smb_cred.c b/usr/src/uts/common/fs/smbsrv/smb_cred.c index 8431db4653..1acd5932cd 100644 --- a/usr/src/uts/common/fs/smbsrv/smb_cred.c +++ b/usr/src/uts/common/fs/smbsrv/smb_cred.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2017 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -97,35 +97,6 @@ smb_cred_create(smb_token_t *token) ksidlist = smb_cred_set_sidlist(&token->tkn_win_grps); crsetsidlist(cr, ksidlist); - /* - * In the AD world, "take ownership privilege" is very much - * like having Unix "root" privileges. It's normally given - * to members of the "Administrators" group, which normally - * includes the the local Administrator (like root) and when - * joined to a domain, "Domain Admins". - */ - if (smb_token_query_privilege(token, SE_TAKE_OWNERSHIP_LUID)) { - (void) crsetpriv(cr, - PRIV_FILE_CHOWN, - PRIV_FILE_DAC_READ, - PRIV_FILE_DAC_SEARCH, - PRIV_FILE_DAC_WRITE, - PRIV_FILE_OWNER, - NULL); - } - - /* - * See smb.4 bypass_traverse_checking - * - * For historical reasons, the Windows privilege is named - * SeChangeNotifyPrivilege, though the description is - * "Bypass traverse checking". - */ - if (smb_token_query_privilege(token, SE_CHANGE_NOTIFY_LUID)) { - (void) crsetpriv(cr, PRIV_FILE_DAC_SEARCH, NULL); - } - - return (cr); } diff --git a/usr/src/uts/common/fs/smbsrv/smb_node.c b/usr/src/uts/common/fs/smbsrv/smb_node.c index 4a932b2f0b..8ce3e70712 100644 --- a/usr/src/uts/common/fs/smbsrv/smb_node.c +++ b/usr/src/uts/common/fs/smbsrv/smb_node.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ /* * SMB Node State Machine @@ -685,6 +685,11 @@ smb_node_set_delete_on_close(smb_node_t *node, cred_t *cr, uint32_t flags) } } + /* Dataset roots can't be deleted, so don't set DOC */ + if ((node->flags & NODE_FLAGS_VFSROOT) != 0) { + return (NT_STATUS_CANNOT_DELETE); + } + mutex_enter(&node->n_mutex); if (node->flags & NODE_FLAGS_DELETE_ON_CLOSE) { /* It was already marked. We're done. */ diff --git a/usr/src/uts/common/fs/smbsrv/smb_user.c b/usr/src/uts/common/fs/smbsrv/smb_user.c index 8c69e95a56..b46cad1b6f 100644 --- a/usr/src/uts/common/fs/smbsrv/smb_user.c +++ b/usr/src/uts/common/fs/smbsrv/smb_user.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. * Copyright (c) 2016 by Delphix. All rights reserved. */ @@ -755,6 +755,57 @@ smb_user_setcred(smb_user_t *user, cred_t *cr, uint32_t privileges) ASSERT(cr); crhold(cr); + /* + * See smb.4 bypass_traverse_checking + * + * For historical reasons, the Windows privilege is named + * SeChangeNotifyPrivilege, though the description is + * "Bypass traverse checking". + */ + if ((privileges & SMB_USER_PRIV_CHANGE_NOTIFY) != 0) { + (void) crsetpriv(cr, PRIV_FILE_DAC_SEARCH, NULL); + } + + /* + * Window's "take ownership privilege" is similar to our + * PRIV_FILE_CHOWN privilege. It's normally given to members of the + * "Administrators" group, which normally includes the the local + * Administrator (like root) and when joined to a domain, + * "Domain Admins". + */ + if ((privileges & SMB_USER_PRIV_TAKE_OWNERSHIP) != 0) { + (void) crsetpriv(cr, + PRIV_FILE_CHOWN, + PRIV_FILE_CHOWN_SELF, + NULL); + } + + /* + * Bypass ACL for READ accesses. + */ + if ((privileges & SMB_USER_PRIV_READ_FILE) != 0) { + (void) crsetpriv(cr, PRIV_FILE_DAC_READ, NULL); + } + + /* + * Bypass ACL for WRITE accesses. + * Include FILE_OWNER, as it covers WRITE_ACL and DELETE. + */ + if ((privileges & SMB_USER_PRIV_WRITE_FILE) != 0) { + (void) crsetpriv(cr, + PRIV_FILE_DAC_WRITE, + PRIV_FILE_OWNER, + NULL); + } + + /* + * These privileges are used only when a file is opened with + * 'backup intent'. These allow users to bypass certain access + * controls. Administrators typically have these privileges, + * and they are used during recursive take-ownership operations. + * Some commonly used tools use 'backup intent' to administrate + * files that do not grant explicit permissions to Administrators. + */ if (privileges & (SMB_USER_PRIV_BACKUP | SMB_USER_PRIV_RESTORE)) privcred = crdup(cr); diff --git a/usr/src/uts/common/io/i40e/core/README.illumos b/usr/src/uts/common/io/i40e/core/README.illumos new file mode 100644 index 0000000000..47cb1fdf2d --- /dev/null +++ b/usr/src/uts/common/io/i40e/core/README.illumos @@ -0,0 +1,91 @@ +# +# This file and its contents are supplied under the terms of the +# Common Development and Distribution License ("CDDL"), version 1.0. +# You may only use this file in accordance with the terms of version +# 1.0 of the CDDL. +# +# A full copy of the text of the CDDL should have accompanied this +# source. A copy of the CDDL is also available via the Internet at +# http://www.illumos.org/license/CDDL. +# + +This directory contains files extracted from the Intel ixl-1.6.10 driver for +FreeBSD with the following modifications/differences. The following two +changes each modified the common code. + +9805 i40e should read SFP data when firmware supports it +9601 Divide by zero in i40e_get_available_resources() + +The following diff was originally applied to add support for Studio and the +32-bit kernel: + +--- ixl-1.6.10/src/i40e_common.c ++++ illumos-gate/usr/src/uts/common/io/i40e/core/i40e_common.c +@@ -4037,8 +4037,8 @@ + + cmd->type = mib_type; + cmd->length = CPU_TO_LE16(buff_size); +- cmd->address_high = CPU_TO_LE32(I40E_HI_WORD((u64)buff)); +- cmd->address_low = CPU_TO_LE32(I40E_LO_DWORD((u64)buff)); ++ cmd->address_high = CPU_TO_LE32(I40E_HI_WORD((uintptr_t)buff)); ++ cmd->address_low = CPU_TO_LE32(I40E_LO_DWORD((uintptr_t)buff)); + + status = i40e_asq_send_command(hw, &desc, buff, buff_size, cmd_details); + return status; +@@ -6585,9 +6585,9 @@ + i40e_fill_default_direct_cmd_desc(&desc, i40e_aqc_opc_set_proxy_config); + + desc.params.external.addr_high = +- CPU_TO_LE32(I40E_HI_DWORD((u64)proxy_config)); ++ CPU_TO_LE32(I40E_HI_DWORD((uintptr_t)proxy_config)); + desc.params.external.addr_low = +- CPU_TO_LE32(I40E_LO_DWORD((u64)proxy_config)); ++ CPU_TO_LE32(I40E_LO_DWORD((uintptr_t)proxy_config)); + + status = i40e_asq_send_command(hw, &desc, proxy_config, + sizeof(struct i40e_aqc_arp_proxy_data), +@@ -6619,9 +6619,9 @@ + i40e_aqc_opc_set_ns_proxy_table_entry); + + desc.params.external.addr_high = +- CPU_TO_LE32(I40E_HI_DWORD((u64)ns_proxy_table_entry)); ++ CPU_TO_LE32(I40E_HI_DWORD((uintptr_t)ns_proxy_table_entry)); + desc.params.external.addr_low = +- CPU_TO_LE32(I40E_LO_DWORD((u64)ns_proxy_table_entry)); ++ CPU_TO_LE32(I40E_LO_DWORD((uintptr_t)ns_proxy_table_entry)); + + status = i40e_asq_send_command(hw, &desc, ns_proxy_table_entry, + sizeof(struct i40e_aqc_ns_proxy_data), +@@ -6681,8 +6681,8 @@ + valid_flags |= I40E_AQC_SET_WOL_FILTER_NO_TCO_ACTION_VALID; + cmd->valid_flags = CPU_TO_LE16(valid_flags); + +- cmd->address_high = CPU_TO_LE32(I40E_HI_DWORD((u64)filter)); +- cmd->address_low = CPU_TO_LE32(I40E_LO_DWORD((u64)filter)); ++ cmd->address_high = CPU_TO_LE32(I40E_HI_DWORD((uintptr_t)filter)); ++ cmd->address_low = CPU_TO_LE32(I40E_LO_DWORD((uintptr_t)filter)); + + status = i40e_asq_send_command(hw, &desc, filter, + buff_len, cmd_details); +--- ixl-1.6.10/src/i40e_register.h ++++ illumos-gate/usr/src/uts/common/io/i40e/core/i40e_register.h +@@ -113,7 +113,7 @@ + #define I40E_PF_ATQLEN_ATQCRIT_SHIFT 30 + #define I40E_PF_ATQLEN_ATQCRIT_MASK I40E_MASK(0x1, I40E_PF_ATQLEN_ATQCRIT_SHIFT) + #define I40E_PF_ATQLEN_ATQENABLE_SHIFT 31 +-#define I40E_PF_ATQLEN_ATQENABLE_MASK I40E_MASK(0x1, I40E_PF_ATQLEN_ATQENABLE_SHIFT) ++#define I40E_PF_ATQLEN_ATQENABLE_MASK I40E_MASK(0x1UL, I40E_PF_ATQLEN_ATQENABLE_SHIFT) + #define I40E_PF_ATQT 0x00080400 /* Reset: EMPR */ + #define I40E_PF_ATQT_ATQT_SHIFT 0 + #define I40E_PF_ATQT_ATQT_MASK I40E_MASK(0x3FF, I40E_PF_ATQT_ATQT_SHIFT) +--- ixl-1.6.10/src/i40e_type.h ++++ illumos-gate/usr/src/uts/common/io/i40e/core/i40e_type.h +@@ -49,7 +49,7 @@ + + #ifndef I40E_MASK + /* I40E_MASK is a macro used on 32 bit registers */ +-#define I40E_MASK(mask, shift) (mask << shift) ++#define I40E_MASK(mask, shift) (((uint32_t)(mask)) << ((uint32_t)(shift))) + #endif + + #define I40E_MAX_PF 16 diff --git a/usr/src/uts/common/io/i40e/core/i40e_common.c b/usr/src/uts/common/io/i40e/core/i40e_common.c index f4dd8da819..0e0dc285ae 100644 --- a/usr/src/uts/common/io/i40e/core/i40e_common.c +++ b/usr/src/uts/common/io/i40e/core/i40e_common.c @@ -3823,14 +3823,16 @@ static void i40e_parse_discover_capabilities(struct i40e_hw *hw, void *buff, /* count the enabled ports (aka the "not disabled" ports) */ hw->num_ports = 0; for (i = 0; i < 4; i++) { - u32 port_cfg_reg = I40E_PRTGEN_CNF + (4 * i); + enum i40e_status_code status; + u32 port_cfg_reg = I40E_PRTGEN_STATUS + (4 * i); u64 port_cfg = 0; /* use AQ read to get the physical register offset instead * of the port relative offset */ - i40e_aq_debug_read_register(hw, port_cfg_reg, &port_cfg, NULL); - if (!(port_cfg & I40E_PRTGEN_CNF_PORT_DIS_MASK)) + status = i40e_aq_debug_read_register(hw, port_cfg_reg, &port_cfg, NULL); + if ((status == I40E_SUCCESS) && + (port_cfg & I40E_PRTGEN_STATUS_PORT_VALID_MASK)) hw->num_ports++; } diff --git a/usr/src/uts/common/io/nvme/nvme.c b/usr/src/uts/common/io/nvme/nvme.c index 03fb31ae03..b5743a0c56 100644 --- a/usr/src/uts/common/io/nvme/nvme.c +++ b/usr/src/uts/common/io/nvme/nvme.c @@ -4794,9 +4794,7 @@ nvme_ufm_fill_slot(ddi_ufm_handle_t *ufmh, void *arg, uint_t imgno, if (slotno == (nvme->n_fwslot->fw_afi - 1)) attr |= DDI_UFM_ATTR_ACTIVE; - if (slotno == 0 && nvme->n_idctl->id_frmw.fw_readonly == 0) - attr |= DDI_UFM_ATTR_WRITEABLE; - else + if (slotno != 0 || nvme->n_idctl->id_frmw.fw_readonly == 0) attr |= DDI_UFM_ATTR_WRITEABLE; if (nvme->n_fwslot->fw_frs[slotno][0] == '\0') { diff --git a/usr/src/uts/common/rpc/clnt_cots.c b/usr/src/uts/common/rpc/clnt_cots.c index 2e64ab0922..d15710d467 100644 --- a/usr/src/uts/common/rpc/clnt_cots.c +++ b/usr/src/uts/common/rpc/clnt_cots.c @@ -22,6 +22,7 @@ /* * Copyright 2016 Nexenta Systems, Inc. All rights reserved. * Copyright (c) 2016 by Delphix. All rights reserved. + * Copyright 2019 Joyent, Inc. */ /* @@ -623,6 +624,7 @@ clnt_cots_kcreate(dev_t dev, struct netbuf *addr, int family, rpcprog_t prog, * The zalloc initialized the fields below. * p->cku_xid = 0; * p->cku_flags = 0; + * p->cku_srcaddr.buf = NULL; * p->cku_srcaddr.len = 0; * p->cku_srcaddr.maxlen = 0; */ @@ -1579,8 +1581,7 @@ clnt_cots_kinit(CLIENT *h, dev_t dev, int family, struct netbuf *addr, p->cku_cred = cred; if (p->cku_addr.maxlen < addr->len) { - if (p->cku_addr.maxlen != 0 && p->cku_addr.buf != NULL) - kmem_free(p->cku_addr.buf, p->cku_addr.maxlen); + kmem_free(p->cku_addr.buf, p->cku_addr.maxlen); p->cku_addr.buf = kmem_zalloc(addr->maxlen, KM_SLEEP); p->cku_addr.maxlen = addr->maxlen; } @@ -1933,10 +1934,9 @@ use_new_conn: * a later retry. */ if (srcaddr->len != lru_entry->x_src.len) { - if (srcaddr->len > 0) - kmem_free(srcaddr->buf, - srcaddr->maxlen); - srcaddr->buf = kmem_zalloc( + kmem_free(srcaddr->buf, srcaddr->maxlen); + ASSERT(lru_entry->x_src.len != 0); + srcaddr->buf = kmem_alloc( lru_entry->x_src.len, KM_SLEEP); srcaddr->maxlen = srcaddr->len = lru_entry->x_src.len; @@ -2091,7 +2091,7 @@ start_retry_loop: cm_entry = (struct cm_xprt *) kmem_zalloc(sizeof (struct cm_xprt), KM_SLEEP); - cm_entry->x_server.buf = kmem_zalloc(destaddr->len, KM_SLEEP); + cm_entry->x_server.buf = kmem_alloc(destaddr->len, KM_SLEEP); bcopy(destaddr->buf, cm_entry->x_server.buf, destaddr->len); cm_entry->x_server.len = cm_entry->x_server.maxlen = destaddr->len; @@ -2256,9 +2256,11 @@ start_retry_loop: /* * Set up a transport entry in the connection manager's list. */ - cm_entry->x_src.buf = kmem_zalloc(srcaddr->len, KM_SLEEP); - bcopy(srcaddr->buf, cm_entry->x_src.buf, srcaddr->len); - cm_entry->x_src.len = cm_entry->x_src.maxlen = srcaddr->len; + if (srcaddr->len > 0) { + cm_entry->x_src.buf = kmem_alloc(srcaddr->len, KM_SLEEP); + bcopy(srcaddr->buf, cm_entry->x_src.buf, srcaddr->len); + cm_entry->x_src.len = cm_entry->x_src.maxlen = srcaddr->len; + } /* Else kmem_zalloc() of cm_entry already sets its x_src to NULL. */ cm_entry->x_tiptr = tiptr; cm_entry->x_time = ddi_get_lbolt(); @@ -2438,12 +2440,11 @@ connmgr_wrapconnect( * in case of a later retry. */ if (srcaddr->len != cm_entry->x_src.len) { - if (srcaddr->maxlen > 0) - kmem_free(srcaddr->buf, srcaddr->maxlen); - srcaddr->buf = kmem_zalloc(cm_entry->x_src.len, + kmem_free(srcaddr->buf, srcaddr->maxlen); + ASSERT(cm_entry->x_src.len != 0); + srcaddr->buf = kmem_alloc(cm_entry->x_src.len, KM_SLEEP); - srcaddr->maxlen = srcaddr->len = - cm_entry->x_src.len; + srcaddr->maxlen = srcaddr->len = cm_entry->x_src.len; } bcopy(cm_entry->x_src.buf, srcaddr->buf, srcaddr->len); } @@ -2565,10 +2566,8 @@ connmgr_close(struct cm_xprt *cm_entry) cv_destroy(&cm_entry->x_conn_cv); cv_destroy(&cm_entry->x_dis_cv); - if (cm_entry->x_server.buf != NULL) - kmem_free(cm_entry->x_server.buf, cm_entry->x_server.maxlen); - if (cm_entry->x_src.buf != NULL) - kmem_free(cm_entry->x_src.buf, cm_entry->x_src.maxlen); + kmem_free(cm_entry->x_server.buf, cm_entry->x_server.maxlen); + kmem_free(cm_entry->x_src.buf, cm_entry->x_src.maxlen); kmem_free(cm_entry, sizeof (struct cm_xprt)); } @@ -2631,11 +2630,11 @@ connmgr_connect( queue_t *wq, struct netbuf *addr, int addrfmly, - calllist_t *e, - int *tidu_ptr, - bool_t reconnect, - const struct timeval *waitp, - bool_t nosignal, + calllist_t *e, + int *tidu_ptr, + bool_t reconnect, + const struct timeval *waitp, + bool_t nosignal, cred_t *cr) { mblk_t *mp; diff --git a/usr/src/uts/common/smbsrv/smb_door.h b/usr/src/uts/common/smbsrv/smb_door.h index a59040ecdf..0c8ad198b4 100644 --- a/usr/src/uts/common/smbsrv/smb_door.h +++ b/usr/src/uts/common/smbsrv/smb_door.h @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2014 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta Systems, Inc. All rights reserved. */ #ifndef _SMBSRV_SMB_DOOR_H @@ -70,7 +70,9 @@ typedef enum smb_dopcode { SMB_DR_DFS_GET_REFERRALS, SMB_DR_SHR_HOSTACCESS, SMB_DR_SHR_EXEC, - SMB_DR_NOTIFY_DC_CHANGED + SMB_DR_NOTIFY_DC_CHANGED, + SMB_DR_LOOKUP_LSID, + SMB_DR_LOOKUP_LNAME } smb_dopcode_t; struct smb_event; diff --git a/usr/src/uts/common/smbsrv/smb_ktypes.h b/usr/src/uts/common/smbsrv/smb_ktypes.h index 20d214a523..5bd83324c4 100644 --- a/usr/src/uts/common/smbsrv/smb_ktypes.h +++ b/usr/src/uts/common/smbsrv/smb_ktypes.h @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ /* @@ -1012,6 +1012,8 @@ typedef struct smb_session { #define SMB_USER_PRIV_BACKUP (1<<17) /* SE_BACKUP_LUID */ #define SMB_USER_PRIV_RESTORE (1<<18) /* SE_RESTORE_LUID */ #define SMB_USER_PRIV_CHANGE_NOTIFY (1<<23) /* SE_CHANGE_NOTIFY_LUID */ +#define SMB_USER_PRIV_READ_FILE (1<<25) /* SE_READ_FILE_LUID */ +#define SMB_USER_PRIV_WRITE_FILE (1<<26) /* SE_WRITE_FILE_LUID */ /* * See the long "User State Machine" comment in smb_user.c diff --git a/usr/src/uts/common/smbsrv/smb_privilege.h b/usr/src/uts/common/smbsrv/smb_privilege.h index cbca27107f..93e79d0689 100644 --- a/usr/src/uts/common/smbsrv/smb_privilege.h +++ b/usr/src/uts/common/smbsrv/smb_privilege.h @@ -22,7 +22,7 @@ * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright 2014 Nexenta Systems, Inc. All rights reserved. + * Copyright 2019 Nexenta by DDN, Inc. All rights reserved. */ #ifndef _SMB_PRIVILEGE_H @@ -97,6 +97,8 @@ extern "C" { #define SE_SYSTEM_ENVIRONMENT_NAME "SeSystemEnvironmentPrivilege" #define SE_CHANGE_NOTIFY_NAME "SeChangeNotifyPrivilege" #define SE_REMOTE_SHUTDOWN_NAME "SeRemoteShutdownPrivilege" +#define SE_READ_FILE_NAME "BypassAclRead" +#define SE_WRITE_FILE_NAME "BypassAclWrite" #define SE_MIN_LUID 2 #define SE_CREATE_TOKEN_LUID 2 @@ -122,7 +124,9 @@ extern "C" { #define SE_SYSTEM_ENVIRONMENT_LUID 22 #define SE_CHANGE_NOTIFY_LUID 23 #define SE_REMOTE_SHUTDOWN_LUID 24 -#define SE_MAX_LUID 24 +#define SE_READ_FILE_LUID 25 +#define SE_WRITE_FILE_LUID 26 +#define SE_MAX_LUID 26 /* * Privilege attributes |