The Samba-Bugzilla – Attachment 6000 Details for
Bug 7716
acl_xattr and acl_tdb modules don't store unmodified copies of security descriptors
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am patch for 3.5.next
0001-Fix-bug-7716-acl_xattr-and-acl_tdb-modules-don-t-sto.patch (text/plain), 2.21 KB, created by
Jeremy Allison
on 2010-10-07 16:29:28 UTC
(
hide
)
Description:
git-am patch for 3.5.next
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2010-10-07 16:29:28 UTC
Size:
2.21 KB
patch
obsolete
>From e83b9249fefe17803407461bac3370c13ab637d8 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 7 Oct 2010 14:26:13 -0700 >Subject: [PATCH] Fix bug 7716 - acl_xattr and acl_tdb modules don't store unmodified copies of security descriptors. > >As pointed out by an OEM, the code within smbd/posix_acl.c, even though passed >a const pointer to a security descriptor, still modifies the ACE entries within >it (which are not const pointers). > >This means ACLs stored in the extended attribute by the acl_xattr module have >already been modified by the POSIX acl layer, and are not the original intent >of storing the "unmodified" ACL from the client. > >Use dup_sec_desc to make a copy of the incoming ACL on talloc_tos() - that >is what is then modified inside smbd/posix_acl.c, leaving the original ACL >to be correctly stored in the xattr. > >Jeremy. >--- > source3/smbd/posix_acls.c | 12 +++++++++++- > 1 files changed, 11 insertions(+), 1 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index eac20d2..0e25ed5 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -3822,7 +3822,7 @@ NTSTATUS append_parent_acl(files_struct *fsp, > This should be the only external function needed for the UNIX style set ACL. > ****************************************************************************/ > >-NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd) >+NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd_orig) > { > connection_struct *conn = fsp->conn; > uid_t user = (uid_t)-1; >@@ -3837,6 +3837,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC > bool set_acl_as_root = false; > bool acl_set_support = false; > bool ret = false; >+ SEC_DESC *psd = NULL; > > DEBUG(10,("set_nt_acl: called for file %s\n", > fsp_str_dbg(fsp))); >@@ -3846,6 +3847,15 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC > return NT_STATUS_MEDIA_WRITE_PROTECTED; > } > >+ if (!psd_orig) { >+ return NT_STATUS_INVALID_PARAMETER; >+ } >+ >+ psd = dup_sec_desc(talloc_tos(), psd_orig); >+ if (!psd) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ > /* > * Get the current state of the file. > */ >-- >1.7.0.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=6000">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 7716
: 6000 |
6043
|
6070
|
6073