This patch fixes: * Allow user to change file permission and ACL on writeable files. * Rebirth the "acl group control" parameter and its semantics as described in smb.conf(5) manpage. See also: https://bugzilla.samba.org/show_bug.cgi?id=5202 https://bugzilla.samba.org/show_bug.cgi?id=5255 -- fumiyas at osstech, 2008-01-14 --- samba-3.0.24/source/param/loadparm.c.dist 2007-02-05 03:59:13.000000000 +0900 +++ samba-3.0.24/source/param/loadparm.c 2008-07-03 15:12:02.000000000 +0900 @@ -904,7 +904,7 @@ static struct parm_struct parm_table[] = {"writable", P_BOOLREV, P_LOCAL, &sDefault.bRead_only, NULL, NULL, FLAG_HIDE}, {"acl check permissions", P_BOOL, P_LOCAL, &sDefault.bAclCheckPermissions, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, - {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE | FLAG_DEPRECATED }, + {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE }, {"acl map full control", P_BOOL, P_LOCAL, &sDefault.bAclMapFullControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, {"create mask", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, {"create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_HIDE}, --- samba-3.0.24/source/smbd/posix_acls.c.dist 2007-02-05 03:59:13.000000000 +0900 +++ samba-3.0.24/source/smbd/posix_acls.c 2008-07-03 15:10:51.000000000 +0900 @@ -2250,18 +2250,26 @@ static BOOL current_user_in_group(gid_t } /**************************************************************************** - Should we override a deny ? Check deprecated 'acl group control' - and 'dos filemode' + Should we override a deny ? Check 'acl group control' and 'dos filemode' ****************************************************************************/ -static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid) +static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid, const char *fname) { - if ( (errno == EACCES || errno == EPERM) - && (lp_acl_group_control(SNUM(conn)) || lp_dos_filemode(SNUM(conn))) - && current_user_in_group(prim_gid)) - { + SMB_STRUCT_STAT sbuf; + + if ((errno != EPERM) && (errno != EACCES)) { + return False; + } + + /* file primary group == user primary or supplementary group */ + if (lp_acl_group_control(SNUM(conn)) && current_user_in_group(prim_gid)) { return True; - } + } + + /* user has writeable permission */ + if (lp_dos_filemode(SNUM(conn)) && can_write_to_file(conn, fname, &sbuf)) { + return True; + } return False; } @@ -2460,7 +2469,7 @@ static BOOL set_canon_ace_list(files_str *pacl_set_support = False; } - if (acl_group_override(conn, prim_gid)) { + if (acl_group_override(conn, prim_gid, fsp->fsp_name)) { int sret; DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n", @@ -2491,7 +2500,7 @@ static BOOL set_canon_ace_list(files_str *pacl_set_support = False; } - if (acl_group_override(conn, prim_gid)) { + if (acl_group_override(conn, prim_gid, fsp->fsp_name)) { int sret; DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n", @@ -3230,7 +3239,7 @@ BOOL set_nt_acl(files_struct *fsp, uint3 if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name) == -1) { int sret = -1; - if (acl_group_override(conn, sbuf.st_gid)) { + if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) { DEBUG(5,("set_nt_acl: acl group control on and " "current user in file %s primary group. Override delete_def_acl\n", fsp->fsp_name )); @@ -3277,7 +3286,7 @@ BOOL set_nt_acl(files_struct *fsp, uint3 if(SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms) == -1) { int sret = -1; - if (acl_group_override(conn, sbuf.st_gid)) { + if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) { DEBUG(5,("set_nt_acl: acl group control on and " "current user in file %s primary group. Override chmod\n", fsp->fsp_name ));