The Samba-Bugzilla – Attachment 7146 Details for
Bug 8631
POSIX ACE x permission becomes rx following mapping to and from a DACL
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
acl_do_not_map_x_to_read_attr.diff (text/plain), 1.96 KB, created by
David Disseldorp
on 2011-11-25 18:09:43 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
David Disseldorp
Created:
2011-11-25 18:09:43 UTC
Size:
1.96 KB
patch
obsolete
>From 7375404e3a363afd0b312aa8271e3ac311b57507 Mon Sep 17 00:00:00 2001 >From: David Disseldorp <ddiss@samba.org> >Date: Fri, 25 Nov 2011 18:16:30 +0100 >Subject: [PATCH] acl: do not map POSIX ACL x to DACL FILE_READ_ATTRIBUTES > >A POSIX ACE allowing --x becomes r-x when mapped to and from a Windows >DACL without user intervention. >The implicit granting of read permission to any ACE with execute >permission is due to the existing POSIX ACL mapping algorithm: > >In the get DACL path map_canon_ace_perms() maps S_IXUSR to FILE_EXECUTE, >SEC_STD_READ_CONTROL, FILE_READ_ATTRIBUTES and SYNCHRONIZE_ACCESS >permissions. > >In the set DACL path map_nt_perms() checks for any of FILE_READ_DATA, >FILE_READ_EA or FILE_READ_ATTRIBUTES. If set then the "r" flag >is set in the corresponding POSIX Access Control entry. > >This change returns to pre 54eaf2d behaviour, whereby S_IXUSR is not >mapped to FILE_READ_ATTRIBUTES. > >https://bugzilla.samba.org/show_bug.cgi?id=8631 >--- > source3/include/smb.h | 6 ++++-- > 1 files changed, 4 insertions(+), 2 deletions(-) > >diff --git a/source3/include/smb.h b/source3/include/smb.h >index b46f498..0fa1032 100644 >--- a/source3/include/smb.h >+++ b/source3/include/smb.h >@@ -859,13 +859,15 @@ struct connections_data { > #define UNIX_ACCESS_RWX FILE_GENERIC_ALL > #define UNIX_ACCESS_R FILE_GENERIC_READ > #define UNIX_ACCESS_W FILE_GENERIC_WRITE >-#define UNIX_ACCESS_X FILE_GENERIC_EXECUTE >+/* read attr is mapped by UNIX_ACCESS_R - bso#8631 */ >+#define UNIX_ACCESS_X (FILE_GENERIC_EXECUTE & (~FILE_READ_ATTRIBUTES)) > > /* Mapping of access rights to UNIX perms. for a UNIX directory. */ > #define UNIX_DIRECTORY_ACCESS_RWX FILE_GENERIC_ALL > #define UNIX_DIRECTORY_ACCESS_R FILE_GENERIC_READ > #define UNIX_DIRECTORY_ACCESS_W (FILE_GENERIC_WRITE|FILE_DELETE_CHILD) >-#define UNIX_DIRECTORY_ACCESS_X FILE_GENERIC_EXECUTE >+/* read attr is mapped by UNIX_ACCESS_R - bso#8631 */ >+#define UNIX_DIRECTORY_ACCESS_X (FILE_GENERIC_EXECUTE & (~FILE_READ_ATTRIBUTES)) > > #if 0 > /* >-- >1.7.7 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7146">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 8631
:
7145
| 7146 |
7147
|
7149