From owner-svn-ports-all@freebsd.org Sun Mar 25 00:34:30 2018 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49308F5B990; Sun, 25 Mar 2018 00:34:30 +0000 (UTC) (envelope-from timur@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DCAAB68407; Sun, 25 Mar 2018 00:34:29 +0000 (UTC) (envelope-from timur@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B6AF016B61; Sun, 25 Mar 2018 00:34:29 +0000 (UTC) (envelope-from timur@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w2P0YTWI071028; Sun, 25 Mar 2018 00:34:29 GMT (envelope-from timur@FreeBSD.org) Received: (from timur@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w2P0YS7M071019; Sun, 25 Mar 2018 00:34:28 GMT (envelope-from timur@FreeBSD.org) Message-Id: <201803250034.w2P0YS7M071019@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: timur set sender to timur@FreeBSD.org using -f From: "Timur I. Bakeyev" Date: Sun, 25 Mar 2018 00:34:28 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r465492 - in head/net/samba48: . files files/man X-SVN-Group: ports-head X-SVN-Commit-Author: timur X-SVN-Commit-Paths: in head/net/samba48: . files files/man X-SVN-Commit-Revision: 465492 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Mar 2018 00:34:30 -0000 Author: timur Date: Sun Mar 25 00:34:28 2018 New Revision: 465492 URL: https://svnweb.freebsd.org/changeset/ports/465492 Log: Initial attempt to bring Samba 4.8 to FreeBSD. Still, there could be rough edges. Don't try it in the production environment yet. Sponsored by: ixSystems Inc. Added: head/net/samba48/files/man/samba_gpoupdate.8 (contents, props changed) head/net/samba48/files/patch-quickfix__in__progress (contents, props changed) head/net/samba48/files/patch-source3__modules__wscript_build (contents, props changed) head/net/samba48/files/patch-source4__dsdb__samdb__ldb_modules__encrypted_secrets.c (contents, props changed) head/net/samba48/files/patch-vfs_freebsd.c (contents, props changed) head/net/samba48/files/patch-vfs_virusfilter (contents, props changed) Modified: head/net/samba48/Makefile head/net/samba48/distinfo head/net/samba48/files/README.FreeBSD.in head/net/samba48/files/samba_server.in head/net/samba48/pkg-descr head/net/samba48/pkg-plist Modified: head/net/samba48/Makefile ============================================================================== --- head/net/samba48/Makefile Sat Mar 24 22:27:38 2018 (r465491) +++ head/net/samba48/Makefile Sun Mar 25 00:34:28 2018 (r465492) @@ -1,7 +1,7 @@ # Created by: timur@FreeBSD.org # $FreeBSD$ -PORTNAME= ${SAMBA4_BASENAME}47 +PORTNAME= ${SAMBA4_BASENAME}48 PORTVERSION= ${SAMBA4_VERSION} PORTREVISION= 0 CATEGORIES?= net @@ -15,14 +15,14 @@ LICENSE= GPLv3 IGNORE_NONTHREAD_PYTHON= needs port lang/python${PYTHON_SUFFIX} to be build with THREADS support -CONFLICTS_INSTALL?= samba4-4.0.* samba4[1-689]-4.* p5-Parse-Pidl-4.* +CONFLICTS_INSTALL?= samba4-4.0.* samba4[1-79]-4.* p5-Parse-Pidl-4.* EXTRA_PATCHES+= ${PATCHDIR}/0001-Zfs-provision-1.patch:-p1 EXTRA_PATCHES+= ${PATCHDIR}/0001-Freenas-master-mdns-fixes-22.patch:-p1 SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 -SAMBA4_VERSION= 4.7.6 +SAMBA4_VERSION= 4.8.0 SAMBA4_DISTNAME= ${SAMBA4_BASENAME}-${SAMBA4_VERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|} WRKSRC?= ${WRKDIR}/${DISTNAME} @@ -60,6 +60,7 @@ CONFIGURE_ARGS+= --mandir="${MANPREFIX}/man" \ --with-lockdir="${SAMBA4_LOCKDIR}" \ --with-statedir="${SAMBA4_LOCKDIR}" \ --with-cachedir="${SAMBA4_LOCKDIR}" \ + --with-bind-dns-dir=${SAMBA4_BINDDNSDIR} \ --with-privatedir="${SAMBA4_PRIVATEDIR}" \ --with-logfilebase="${SAMBA4_LOGDIR}" # XXX: Flags @@ -92,7 +93,7 @@ OPTIONS_DEFINE+= DEVELOPER MANDOC OPTIONS_DEFINE_amd64= AESNI OPTIONS_DEFAULT_amd64= AESNI -OPTIONS_DEFINE+= CLUSTER CUPS GLUSTERFS GPGME NTVFS SPOTLIGHT +OPTIONS_DEFINE+= CUPS GPGME NTVFS SPOTLIGHT OPTIONS_RADIO= DNS ZEROCONF OPTIONS_RADIO_DNS= NSUPDATE BIND99 BIND910 BIND911 @@ -121,6 +122,8 @@ BIND910_DESC= Use Bind 9.10 as AD DC DNS server fron BIND911_DESC= Use Bind 9.11 as AD DC DNS server frontend NSUPDATE_DESC= Use samba NSUPDATE utility for AD DC ############################################################################## +PLIST_SUB+= CLUSTER="@comment " +SUB_LIST+= CLUSTER="@comment " # XXX: Unconditional dependencies which can't be switched off(if present in the system) # popt LIB_DEPENDS+= libpopt.so:devel/popt @@ -146,7 +149,7 @@ RUN_DEPENDS+= libarchive>=3.1.2:archivers/libarchive #SAMBA4_BUNDLED_TEVENT= yes #SAMBA4_BUNDLED_TDB= yes #SAMBA4_BUNDLED_LDB= yes -SAMBA4_LDB= 12 +SAMBA4_LDB= 13 # cmocka .if defined(SAMBA4_BUNDLED_CMOCKA) SAMBA4_BUNDLED_LIBS+= cmocka @@ -350,7 +353,7 @@ LIB_DEPENDS+= libdbus-1.so:devel/dbus LIB_DEPENDS+= libdbus-glib-1.so:devel/dbus-glib .endif -#SAMBA4_MODULES+= vfs_freebsd +SAMBA4_MODULES+= vfs_freebsd SAMBA4_MODULES+= idmap_nss idmap_autorid idmap_rid idmap_hash idmap_tdb idmap_tdb2 idmap_script nss-info_hash # List of extra modules taken from RHEL build @@ -362,7 +365,7 @@ SAMBA4_MODULES+= idmap_ad idmap_rfc2307 nss-info_temp .if ${PORT_OPTIONS:MDEVELOPER} SAMBA4_MODULES+= auth_skel pdb_test gpext_security gpext_registry gpext_scripts perfcount_test \ vfs_fake_dfq vfs_skel_opaque vfs_skel_transparent vfs_shadow_copy_test vfs_fake_acls \ - vfs_nfs4acl_xattr + vfs_nfs4acl_xattr vfs_error_inject .endif .if defined(WANT_EXP_MODULES) && !empty(WANT_EXP_MODULES) @@ -521,6 +524,7 @@ pre-build-MANDOC-off: source4/lib/registry/man/regpatch.1 \ source4/lib/registry/man/regshell.1 \ source4/lib/registry/man/regtree.1 \ + source4/scripting/man/samba_gpoupdate.8 \ source4/torture/man/gentest.1 \ source4/torture/man/locktest.1 \ source4/torture/man/masktest.1 \ Modified: head/net/samba48/distinfo ============================================================================== --- head/net/samba48/distinfo Sat Mar 24 22:27:38 2018 (r465491) +++ head/net/samba48/distinfo Sun Mar 25 00:34:28 2018 (r465492) @@ -1,3 +1,3 @@ -TIMESTAMP = 1520935629 -SHA256 (samba-4.7.6.tar.gz) = 1eede30fc8ef6504e24602fb72b00baa0a7b73b59f16d25cb0771dc8c7c57d6e -SIZE (samba-4.7.6.tar.gz) = 16864824 +TIMESTAMP = 1520983130 +SHA256 (samba-4.8.0.tar.gz) = 87d9b585dbd8628e79aabb6e621a94bd20a072a00762e78e0899fad22fc18fb7 +SIZE (samba-4.8.0.tar.gz) = 17659751 Modified: head/net/samba48/files/README.FreeBSD.in ============================================================================== --- head/net/samba48/files/README.FreeBSD.in Sat Mar 24 22:27:38 2018 (r465491) +++ head/net/samba48/files/README.FreeBSD.in Sun Mar 25 00:34:28 2018 (r465492) @@ -23,28 +23,22 @@ FreeBSD specific information * Provisioning script is: %%PREFIX%%/bin/samba-tool -Samba4 provisioning requires file system(s) with POSIX ACLs support. At -the moment that is UFS2 only. You have to add 'acls' option to the mount -flags to get things working. +Samba4 provisioning requires file system(s) with the ACLs support. On +UFS2 you need to enable POSIX ACLs by adding 'acls' option to the mount +flags, on ZFS you need to use NFSv4 ACLs and `zfsacl` VFS module to get +provisioning work. -It is known that ZFS-only installations don't work out of the box with -Samba4. In partucular, s3fs service requires POSIX ACLs during provi- -sioning. It is possible to work around that requirement by specifying: +There is a hack in the code, that makes provisioning work on UFS2 and in +the jails on the price of using USER extattr(2) namespace, which is less +secure than SYSTEM namespace, as can be edited not only by root user, but +also by the owner of the file. - # samba-tool domain provision --interactive --use-xattrs=no --use-ntvfs +For the provisioning on ZFS you need to use additional parameters to the +samba-tool, that would explicitly add `zfsacl` to the default `vfs objects`: -And removing later in '%%SAMBA4_CONFIG%%' options like: + # samba-tool domain provision --interactive \ + --option="vfs objects"="dfs_samba4 zfsacl" - 'server services', 'dcerpc endpoint servers', 'posix:eadb' - -and adding 'vfs objects = zfsacl' as well. Still this isn't supported -and tested configuration, so use it at your own risk. - -You may find this tutorial useful, if you happen to run Samba4 on -ZFS-root: - - o http://glsan.com/community/samba4 - To run this port you need to perform the following steps: --------------------------------------------------------- @@ -52,9 +46,6 @@ To run this port you need to perform the following ste all the relevant files. That includes 'smb.conf' file and all the content of the '/var/db/samba/' directory. -If you had Samba4-devel installation before to my knowledge the best -option would be to start from scratch. - 1a. Create new '%%SAMBA4_CONFDIR%%/%%SAMBA4_CONFIG%%' file by running: # samba-tool domain provision @@ -75,8 +66,8 @@ Stop them, if necessary. 4. Run '%%PREFIX%%/etc/rc.d/samba_server start' or reboot. -WARNING! This port is still experimental and if you need any asistance, -please, check archives of samba@lists.samba.org and ask there for help. +Please, check archives of samba@lists.samba.org and ask there for help, +if necessary: https://lists.samba.org/archive/samba/ Added: head/net/samba48/files/man/samba_gpoupdate.8 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/samba48/files/man/samba_gpoupdate.8 Sun Mar 25 00:34:28 2018 (r465492) @@ -0,0 +1,113 @@ +'\" t +.\" Title: SAMBA_GPOUPDATE +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.76.1 +.\" Date: 2017-07-11 +.\" Manual: System Administration tools +.\" Source: Samba 4.8.0 +.\" Language: English +.\" +.TH "SAMBA_GPOUPDATE" "8" "2017\-07\-11" "Samba 4\&.8\&.0" "System Administration tools" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +samba_gpoupdate \- apply group policy +.SH "SYNOPSIS" +.HP \w'\fBsamba_gpoupdate\fR\ 'u +\fBsamba_gpoupdate\fR +.HP \w'\fBsamba_gpoupdate\fR\ 'u +\fBsamba_gpoupdate\fR [\fIoptions\fR] +.SH "DESCRIPTION" +.PP +This tool is part of the +\fBsamba\fR(1) +suite\&. +.PP +\fBsamba_gpoupdate\fR +a script for applying and unapplying Group Policy\&. Group Policy application is experimental\&. Currently this applies password policies (minimum/maximum password age, minimum password length, and password complexity) and kerberos policies (user/service ticket lifetime and renew lifetime)\&. +.SH "OPTIONS" +.PP +\fB\-h\fR, +\fB\-\-help\fR +show this help message and exit +.PP +\fB\-H \fRURL, +\fB\-\-url\fR=\fIURL\fR +URL for the samdb +.PP +\fB\-X\fR, +\fB\-\-unapply\fR +Unapply Group Policy +.PP +Samba Common Options: +.PP +\fB\-s \fRFILE, +\fB\-\-configfile\fR=\fIFILE\fR +Configuration file +.PP +\fB\-d \fRDEBUGLEVEL, +\fB\-\-debuglevel\fR=\fIDEBUGLEVEL\fR +debug level +.PP +\fB\-\-option\fR=\fIOPTION\fR +set smb\&.conf option from command line +.PP +\fB\-\-realm\fR=\fIREALM\fR +set the realm name +.PP +Version Options: +.PP +\fB\-V\fR, +\fB\-\-version\fR +Display version number +.PP +Credentials Options: +.PP +\fB\-\-simple\-bind\-dn\fR=\fIDN\fR +DN to use for a simple bind +.PP +\fB\-\-password\fR=\fIPASSWORD\fR +Password +.PP +\fB\-U \fRUSERNAME, +\fB\-\-username\fR=\fIUSERNAME\fR +Username +.PP +\fB\-W \fRWORKGROUP, +\fB\-\-workgroup\fR=\fIWORKGROUP\fR +Workgroup +.PP +\fB\-N\fR, +\fB\-\-no\-pass\fR +Don\*(Aqt ask for a password +.PP +\fB\-k \fRKERBEROS, +\fB\-\-kerberos\fR=\fIKERBEROS\fR +Use Kerberos +.PP +\fB\-\-ipaddress\fR=\fIIPADDRESS\fR +IP address of server +.PP +\fB\-P\fR, +\fB\-\-machine\-pass\fR +Use stored machine account password +.SH "AUTHOR" +.PP +The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. Added: head/net/samba48/files/patch-quickfix__in__progress ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/samba48/files/patch-quickfix__in__progress Sun Mar 25 00:34:28 2018 (r465492) @@ -0,0 +1,24 @@ +--- source3/libnet/libnet_join.c.orig 2018-02-25 04:01:39 UTC ++++ source3/libnet/libnet_join.c +@@ -2652,9 +2652,9 @@ static WERROR libnet_DomainJoin(TALLOC_C + DEBUG(5, ("failed to precreate account in ou %s: %s", + r->in.account_ou, ads_errstr(ads_status))); + } +-#endif /* HAVE_ADS */ + + rpc_join: ++#endif /* HAVE_ADS */ + if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) && + (r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) { + status = libnet_join_joindomain_rpc_unsecure(mem_ctx, r, cli); +--- source3/libsmb/namequery_dc.c.orig 2018-02-25 02:59:41.002983000 +0100 ++++ source3/libsmb/namequery_dc.c 2018-02-25 02:59:56.770533000 +0100 +@@ -32,7 +32,7 @@ + Is this our primary domain ? + **********************************************************************/ + +-#ifdef HAVE_KRB5 ++#ifdef HAVE_ADS + static bool is_our_primary_domain(const char *domain) + { + int role = lp_server_role(); Added: head/net/samba48/files/patch-source3__modules__wscript_build ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/samba48/files/patch-source3__modules__wscript_build Sun Mar 25 00:34:28 2018 (r465492) @@ -0,0 +1,17 @@ +--- source3/modules/wscript_build.orig 2018-02-25 05:33:23 UTC ++++ source3/modules/wscript_build +@@ -222,6 +222,14 @@ bld.SAMBA3_MODULE('vfs_zfsacl', + internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_zfsacl'), + enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_zfsacl')) + ++bld.SAMBA3_MODULE('vfs_freebsd', ++ subsystem='vfs', ++ source='vfs_freebsd.c', ++ deps='samba-util', ++ init_function='', ++ internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_freebsd'), ++ enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_freebsd')) ++ + xdr_buf_hack = 'sed -e "s@^\([ \t]*register int32_t \*buf\);@\\1 = buf;@"' + + bld.SAMBA_GENERATOR('nfs41acl-xdr-c', Added: head/net/samba48/files/patch-source4__dsdb__samdb__ldb_modules__encrypted_secrets.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/samba48/files/patch-source4__dsdb__samdb__ldb_modules__encrypted_secrets.c Sun Mar 25 00:34:28 2018 (r465492) @@ -0,0 +1,22 @@ +--- source4/dsdb/samdb/ldb_modules/encrypted_secrets.c.orig 2018-03-01 22:18:10 UTC ++++ source4/dsdb/samdb/ldb_modules/encrypted_secrets.c +@@ -750,16 +750,16 @@ static struct ldb_val gnutls_encrypt_aea + * Encrypt the value. + */ + { +- size_t el; +- const unsigned block_size = gnutls_cipher_get_tag_size( ++ const unsigned block_size = gnutls_cipher_get_block_size( + data->encryption_algorithm); +- const unsigned tag_size = gnutls_cipher_get_block_size( ++ const unsigned tag_size = gnutls_cipher_get_tag_size( + data->encryption_algorithm); + const size_t ed_size = round_to_block_size( + block_size, + sizeof(struct PlaintextSecret) + val.length); + const size_t en_size = ed_size + tag_size; + uint8_t *ct = talloc_zero_size(frame, en_size); ++ size_t el = en_size; + + if (ct == NULL) { + ldb_set_errstring(ldb, Added: head/net/samba48/files/patch-vfs_freebsd.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/samba48/files/patch-vfs_freebsd.c Sun Mar 25 00:34:28 2018 (r465492) @@ -0,0 +1,1785 @@ +--- /dev/null 2018-03-05 02:00:00 UTC ++++ source3/modules/vfs_freebsd.c 2018-03-05 02:04:19.982828000 +0100 +@@ -0,0 +1,1782 @@ ++/* ++ * This module implements VFS calls specific to FreeBSD ++ * ++ * Copyright (C) Timur I. Bakeyev, 2018 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, see . ++ */ ++ ++#include "includes.h" ++ ++//#include "../source3/include/includes.h" ++#include "lib/util/tevent_unix.h" ++#include "lib/util/tevent_ntstatus.h" ++#include "system/filesys.h" ++ ++#include ++ ++ ++#ifndef EXTATTR_MAXNAMELEN ++#define EXTATTR_MAXNAMELEN UINT8_MAX ++#endif ++ ++#define EXTATTR_NAMESPACE(NS) EXTATTR_NAMESPACE_ ## NS, \ ++ EXTATTR_NAMESPACE_ ## NS ## _STRING ".", \ ++ .data.len = (sizeof(EXTATTR_NAMESPACE_ ## NS ## _STRING ".") - 1) ++ ++#define EXTATTR_EMPTY 0x00 ++#define EXTATTR_USER 0x01 ++#define EXTATTR_SYSTEM 0x02 ++#define EXTATTR_SECURITY 0x03 ++#define EXTATTR_TRUSTED 0x04 ++ ++ ++static bool is_secure = true; ++static bool is_legacy = false; ++ ++typedef struct { ++ int namespace; ++ char name[EXTATTR_MAXNAMELEN+1]; ++ union { ++ uint16_t len; ++ uint16_t flags; ++ } data; ++} extattr_attr; ++ ++ ++/* XXX: This order doesn't match namespace ids order! */ ++static extattr_attr extattr[] = { ++ { EXTATTR_NAMESPACE(EMPTY) }, ++ { EXTATTR_NAMESPACE(SYSTEM) }, ++ { EXTATTR_NAMESPACE(USER) }, ++}; ++ ++typedef struct { ++ enum { ++ FILE, LINK, FDES ++ } method; ++ union { ++ const char *path; ++ int filedes; ++ } param; ++} extattr_arg; ++ ++ ++ ++static bool freebsd_in_jail(void) { ++ int val = 0; ++ size_t val_len = sizeof(val); ++ ++ if((sysctlbyname("security.jail.jailed", &val, &val_len, NULL, 0) != -1) && val == 1) { ++ return true; ++ } ++ return false; ++} ++ ++static uint16_t freebsd_map_attrname(const char *name) ++{ ++ if(name == NULL || name[0] == '\0') { ++ return EXTATTR_EMPTY; ++ } ++ ++ switch(name[0]) { ++ case 'u': ++ if(strncmp(name, "user.", 5) == 0) ++ return EXTATTR_USER; ++ break; ++ case 't': ++ if(strncmp(name, "trusted.", 8) == 0) ++ return EXTATTR_TRUSTED; ++ break; ++ case 's': ++ /* name[1] could be any character, including '\0' */ ++ switch(name[1]) { ++ case 'e': ++ if(strncmp(name, "security.", 9) == 0) ++ return EXTATTR_SECURITY; ++ break; ++ case 'y': ++ if(strncmp(name, "system.", 7) == 0) ++ return EXTATTR_SYSTEM; ++ break; ++ } ++ break; ++ } ++ return EXTATTR_USER; ++} ++ ++/* security, system, trusted or user */ ++static extattr_attr* freebsd_map_xattr(const char *name, extattr_attr *attr) ++{ ++ int attrnamespace = EXTATTR_NAMESPACE_EMPTY; ++ const char *attrname = name; ++ ++ if(name == NULL || name[0] == '\0') { ++ return NULL; ++ } ++ ++ if(attr == NULL) { ++ return NULL; ++ } ++ ++ uint16_t flags = freebsd_map_attrname(name); ++ ++ switch(flags) { ++ case EXTATTR_USER: ++ attrnamespace = EXTATTR_NAMESPACE_USER; ++ if(is_legacy) ++ attrname = name + 5; ++ break; ++ case EXTATTR_SECURITY: ++ case EXTATTR_TRUSTED: ++ attrnamespace = (is_secure) ? ++ EXTATTR_NAMESPACE_SYSTEM : ++ EXTATTR_NAMESPACE_USER; ++ break; ++ case EXTATTR_SYSTEM: ++ attrnamespace = (is_secure) ? ++ EXTATTR_NAMESPACE_SYSTEM : ++ EXTATTR_NAMESPACE_USER; ++ if (is_legacy) ++ attrname = name + 7; ++ break; ++ default: ++ /* Default to "user" namespace if nothing else was specified */ ++ attrnamespace = EXTATTR_NAMESPACE_USER; ++ flags = EXTATTR_USER; ++ } ++ ++ attr->namespace = attrnamespace; ++ attr->data.flags = flags; ++ strlcpy(attr->name, attrname, EXTATTR_MAXNAMELEN+1); ++ ++ return attr; ++} ++ ++static ssize_t extattr_size(extattr_arg arg, extattr_attr *attr) ++{ ++ ssize_t result; ++ ++ switch(arg.method) { ++#if defined(HAVE_EXTATTR_GET_FILE) ++ case FILE: ++ result = extattr_get_file(arg.param.path, attr->namespace, attr->name, NULL, 0); ++ break; ++#endif ++#if defined(HAVE_EXTATTR_GET_LINK) ++ case LINK: ++ result = extattr_get_link(arg.param.path, attr->namespace, attr->name, NULL, 0); ++ break; ++#endif ++#if defined(HAVE_EXTATTR_GET_FD) ++ case FDES: ++ result = extattr_get_fd(arg.param.filedes, attr->namespace, attr->name, NULL, 0); ++ break; ++#endif ++ default: ++ errno = ENOSYS; ++ return -1; ++ } ++ ++ if(result < 0) { ++ errno = EINVAL; ++ return -1; ++ } ++ ++ return result; ++} ++ ++ ++/* ++ * The list of names is returned as an unordered array of NULL-terminated ++ * character strings (attribute names are separated by NULL characters), ++ * like this: ++ * user.name1\0system.name1\0user.name2\0 ++ * ++ * Filesystems like ext2, ext3 and XFS which implement POSIX ACLs using ++ * extended attributes, might return a list like this: ++ * system.posix_acl_access\0system.posix_acl_default\0 ++ */ ++/* ++ * The extattr_list_file() returns a list of attributes present in the ++ * requested namespace. Each list entry consists of a single byte containing ++ * the length of the attribute name, followed by the attribute name. The ++ * attribute name is not terminated by ASCII 0 (nul). ++*/ ++ ++static ssize_t freebsd_extattr_list(extattr_arg arg, char *list, size_t size) ++{ ++ ssize_t list_size, total_size = 0; ++ char *p, *q, *list_end; ++ int len; ++ /* ++ Ignore all but user namespace when we are not root or in jail ++ See: https://bugzilla.samba.org/show_bug.cgi?id=10247 ++ */ ++ bool as_root = (geteuid() == 0); ++ ++ int ns = (is_secure && as_root) ? 1 : 2; ++ ++ /* Iterate through extattr(2) namespaces */ ++ for(; ns < ARRAY_SIZE(extattr); ns++) { ++ switch(arg.method) { ++#if defined(HAVE_EXTATTR_LIST_FILE) ++ case FILE: ++ list_size = extattr_list_file(arg.param.path, extattr[ns].namespace, list, size); ++ break; ++#endif ++#if defined(HAVE_EXTATTR_LIST_LINK) ++ case LINK: ++ list_size = extattr_list_link(arg.param.path, extattr[ns].namespace, list, size); ++ break; ++#endif ++#if defined(HAVE_EXTATTR_LIST_FD) ++ case FDES: ++ list_size = extattr_list_fd(arg.param.filedes, extattr[ns].namespace, list, size); ++ break; ++#endif ++ default: ++ errno = ENOSYS; ++ return -1; ++ } ++ /* Some error happend. Errno should be set by the previous call */ ++ if(list_size < 0) ++ return -1; ++ /* No attributes in this namespace */ ++ if(list_size == 0) ++ continue; ++ /* ++ Call with an empty buffer may be used to calculate ++ necessary buffer size. ++ */ ++ if(list == NULL) { ++ /* ++ XXX: Unfortunately, we can't say, how many attributes were ++ returned, so here is the potential problem with the emulation. ++ */ ++ if(is_legacy) { ++ /* ++ Take the worse case of one char attribute names - ++ two bytes per name plus one more for sanity. ++ */ ++ total_size += list_size + (list_size/2 + 1)*extattr[ns].data.len; ++ } ++ else { ++ total_size += list_size; ++ } ++ continue; ++ } ++ ++ if(is_legacy) { ++ /* Count necessary offset to fit namespace prefixes */ ++ int extra_len = 0; ++ uint16_t flags; ++ list_end = list + list_size; ++ for(list_size = 0, p = q = list; p < list_end; p += len) { ++ len = p[0] + 1; ++ (void)strlcpy(q, p + 1, len); ++ flags = freebsd_map_attrname(q); ++ /* Skip secure attributes for non-root user */ ++ if(!is_secure && !as_root && flags > EXTATTR_USER) { ++ continue; ++ } ++ if(flags <= EXTATTR_USER) { ++ /* Don't count trailing '\0' */ ++ extra_len += extattr[ns].data.len; ++ } ++ list_size += len; ++ q += len; ++ } ++ total_size += list_size + extra_len; ++ /* Buffer is too small to fit the results */ ++ if(total_size > size) { ++ errno = ERANGE; ++ return -1; ++ } ++ /* Shift results backwards, so we can prepend prefixes */ ++ list_end = list + extra_len; ++ p = (char*)memmove(list_end, list, list_size); ++ /* ++ We enter the loop with `p` pointing to the shifted list and ++ `extra_len` having the total margin between `list` and `p` ++ */ ++ for(list_end += list_size; p < list_end; p += len) { ++ len = strlen(p) + 1; ++ flags = freebsd_map_attrname(p); ++ if(flags <= EXTATTR_USER) { ++ /* Add namespace prefix */ ++ (void)strncpy(list, extattr[ns].name, extattr[ns].data.len); ++ list += extattr[ns].data.len; ++ } ++ /* Append attribute name */ ++ (void)strlcpy(list, p, len); ++ list += len; ++ } ++ } ++ else { ++ /* Convert UCSD strings into nul-terminated strings */ ++ for(list_end = list + list_size; list < list_end; list += len) { ++ len = list[0] + 1; ++ (void)strlcpy(list, list + 1, len); ++ } ++ total_size += list_size; ++ } ++ } ++ return total_size; ++} ++ ++/* ++static ssize_t freebsd_getxattr_size(vfs_handle_struct *handle, ++ const struct smb_filename *smb_fname, ++ const char *name) ++{ ++ extattr_arg arg = { FILE, smb_fname->base_name }; ++ extattr_attr attr; ++ ++ if(!freebsd_map_xattr(name, &attr)) { ++ errno = EINVAL; ++ return -1; ++ } ++ ++ if(!is_secure && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { ++ errno = ENOATTR; ++ return -1; ++ } ++ ++ return extattr_size(arg, &attr); ++} ++*/ ++ ++/* VFS entries */ ++static ssize_t freebsd_getxattr(vfs_handle_struct *handle, ++ const struct smb_filename *smb_fname, ++ const char *name, ++ void *value, ++ size_t size) ++{ ++#if defined(HAVE_EXTATTR_GET_FILE) ++ extattr_arg arg = { FILE, .param.path = smb_fname->base_name }; ++ extattr_attr attr; ++ ssize_t res; ++ ++ if(!freebsd_map_xattr(name, &attr)) { ++ errno = EINVAL; ++ return -1; ++ } ++ ++ /* Filter out 'secure' entries */ ++ if(!is_secure && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { ++ errno = ENOATTR; ++ return -1; ++ } ++ ++ /* ++ * The BSD implementation has a nasty habit of silently truncating ++ * the returned value to the size of the buffer, so we have to check ++ * that the buffer is large enough to fit the returned value. ++ */ ++ if((res=extattr_size(arg, &attr)) < 0) { ++ return -1; ++ } ++ ++ if (size == 0) { ++ return res; ++ } ++ else if (res > size) { ++ errno = ERANGE; ++ return -1; ++ } ++ ++ if((res=extattr_get_file(smb_fname->base_name, attr.namespace, attr.name, value, size)) >= 0) { ++ return res; ++ } ++ return -1; ++#else ++ errno = ENOSYS; ++ return -1; ++#endif ++} ++ ++ ++static ssize_t freebsd_fgetxattr(vfs_handle_struct *handle, ++ struct files_struct *fsp, const char *name, ++ void *value, size_t size) ++{ ++#if defined(HAVE_EXTATTR_GET_FD) ++ extattr_arg arg = { FDES, .param.filedes = fsp->fh->fd }; ++ extattr_attr attr; ++ ssize_t res; ++ ++ if(!freebsd_map_xattr(name, &attr)) { ++ errno = EINVAL; ++ return -1; ++ } ++ ++ /* Filter out 'secure' entries */ ++ if(!is_secure && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { ++ errno = ENOATTR; ++ return -1; ++ } ++ ++ /* ++ * The BSD implementation has a nasty habit of silently truncating ++ * the returned value to the size of the buffer, so we have to check ++ * that the buffer is large enough to fit the returned value. ++ */ ++ if((res=extattr_size(arg, &attr)) < 0) { ++ return -1; ++ } ++ ++ if (size == 0) { ++ return res; ++ } ++ else if (res > size) { ++ errno = ERANGE; ++ return -1; ++ } ++ ++ if((res=extattr_get_fd(fsp->fh->fd, attr.namespace, attr.name, value, size)) >= 0) { ++ return res; ++ } ++ return -1; ++#else ++ errno = ENOSYS; ++ return -1; ++#endif ++} ++ ++ ++static ssize_t freebsd_listxattr(vfs_handle_struct *handle, ++ const struct smb_filename *smb_fname, ++ char *list, ++ size_t size) ++{ ++#if defined(HAVE_EXTATTR_LIST_FILE) ++ extattr_arg arg = { FILE, .param.path = smb_fname->base_name }; ++ ++ return freebsd_extattr_list(arg, list, size); ++#else ++ errno = ENOSYS; ++ return -1; ++#endif ++} ++ ++ ++static ssize_t freebsd_flistxattr(vfs_handle_struct *handle, ++ struct files_struct *fsp, char *list, ++ size_t size) ++{ ++#if defined(HAVE_EXTATTR_LIST_FD) ++ extattr_arg arg = { FDES, .param.filedes = fsp->fh->fd }; ++ ++ return freebsd_extattr_list(arg, list, size); ++#else ++ errno = ENOSYS; ++ return -1; ++#endif ++} ++ ++static int freebsd_removexattr(vfs_handle_struct *handle, ++ const struct smb_filename *smb_fname, ++ const char *name) ++{ ++#if defined(HAVE_EXTATTR_DELETE_FILE) ++ extattr_attr attr; ++ ++ if(!freebsd_map_xattr(name, &attr)) { ++ errno = EINVAL; ++ return -1; ++ } ++ ++ /* Filter out 'secure' entries */ ++ if(!is_secure && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { ++ errno = ENOATTR; ++ return -1; ++ } ++ ++ return extattr_delete_file(smb_fname->base_name, attr.namespace, attr.name); ++#else ++ errno = ENOSYS; ++ return -1; ++#endif ++} ++ ++ ++static int freebsd_fremovexattr(vfs_handle_struct *handle, ++ struct files_struct *fsp, const char *name) ++{ ++#if defined(HAVE_EXTATTR_DELETE_FD) ++ extattr_attr attr; ++ ++ if(!freebsd_map_xattr(name, &attr)) { ++ errno = EINVAL; ++ return -1; ++ } ++ ++ /* Filter out 'secure' entries */ ++ if(!is_secure && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { ++ errno = ENOATTR; ++ return -1; ++ } ++ ++ return extattr_delete_fd(fsp->fh->fd, attr.namespace, attr.name); ++#else ++ errno = ENOSYS; ++ return -1; ++#endif ++} ++ ++ ++static int freebsd_setxattr(vfs_handle_struct *handle, ++ const struct smb_filename *smb_fname, ++ const char *name, ++ const void *value, ++ size_t size, ++ int flags) ++{ ++#if defined(HAVE_EXTATTR_SET_FILE) ++ extattr_attr attr; ++ ssize_t res; ++ ++ if(!freebsd_map_xattr(name, &attr)) { ++ errno = EINVAL; ++ return -1; ++ } ++ ++ /* Filter out 'secure' entries */ ++ if(!is_secure && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { ++ errno = ENOATTR; ++ return -1; ++ } ++ ++ if (flags) { ++ extattr_arg arg = { FILE, .param.path = smb_fname->base_name }; ++ /* Check attribute existence */ ++ res = extattr_size(arg, &attr); ++ if (res < 0) { ++ /* REPLACE attribute, that doesn't exist */ ++ if ((flags & XATTR_REPLACE) && errno == ENOATTR) { ++ errno = ENOATTR; ++ return -1; ++ } ++ /* Ignore other errors */ ++ } ++ else { ++ /* CREATE attribute, that already exists */ ++ if (flags & XATTR_CREATE) { ++ errno = EEXIST; ++ return -1; ++ } ++ } ++ } ++ res = extattr_set_file(smb_fname->base_name, attr.namespace, attr.name, value, size); ++ ++ return (res >= 0) ? 0 : -1; ++#else ++ errno = ENOSYS; ++ return -1; ++#endif ++} ++ ++ ++static int freebsd_fsetxattr(vfs_handle_struct *handle, struct files_struct *fsp, ++ const char *name, const void *value, size_t size, ++ int flags) ++{ ++#if defined(HAVE_EXTATTR_SET_FD) ++ extattr_attr attr; ++ ssize_t res; ++ ++ if(!freebsd_map_xattr(name, &attr)) { ++ errno = EINVAL; ++ return -1; ++ } ++ ++ /* Filter out 'secure' entries */ ++ if(!is_secure && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { ++ errno = ENOATTR; ++ return -1; ++ } ++ ++ if (flags) { ++ extattr_arg arg = { FDES, .param.filedes = fsp->fh->fd }; ++ /* Check attribute existence */ ++ res = extattr_size(arg, &attr); ++ if (res < 0) { ++ /* REPLACE attribute, that doesn't exist */ ++ if ((flags & XATTR_REPLACE) && errno == ENOATTR) { ++ errno = ENOATTR; ++ return -1; ++ } ++ /* Ignore other errors */ ++ } ++ else { ++ /* CREATE attribute, that already exists */ ++ if (flags & XATTR_CREATE) { ++ errno = EEXIST; ++ return -1; ++ } ++ } ++ } ++ ++ res = extattr_set_fd(fsp->fh->fd, attr.namespace, attr.name, value, size); ++ ++ return (res >= 0) ? 0 : -1; ++#else ++ errno = ENOSYS; ++ return -1; ++#endif ++} ++ ++ ++ ++ *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***