The Samba-Bugzilla – Attachment 7292 Details for
Bug 7933
samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
fix for 3.6.next
look (text/plain), 2.30 KB, created by
Jeremy Allison
on 2012-02-03 22:51:13 UTC
(
hide
)
Description:
fix for 3.6.next
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2012-02-03 22:51:13 UTC
Size:
2.30 KB
patch
obsolete
>diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c >index 016bb9f..591c31c 100644 >--- a/source3/modules/vfs_acl_common.c >+++ b/source3/modules/vfs_acl_common.c >@@ -744,6 +744,7 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp, > struct security_descriptor *pdesc_next = NULL; > struct security_descriptor *psd = NULL; > uint8_t hash[XATTR_SD_HASH_SIZE]; >+ bool chown_needed = false; > > if (DEBUGLEVEL >= 10) { > DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n", >@@ -766,9 +767,17 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp, > psd->type = orig_psd->type | SEC_DESC_SELF_RELATIVE; > > if ((security_info_sent & SECINFO_OWNER) && (orig_psd->owner_sid != NULL)) { >+ if (!dom_sid_equal(orig_psd->owner_sid, psd->owner_sid)) { >+ /* We're changing the owner. */ >+ chown_needed = true; >+ } > psd->owner_sid = orig_psd->owner_sid; > } > if ((security_info_sent & SECINFO_GROUP) && (orig_psd->group_sid != NULL)) { >+ if (!dom_sid_equal(orig_psd->group_sid, psd->group_sid)) { >+ /* We're changing the group. */ >+ chown_needed = true; >+ } > psd->group_sid = orig_psd->group_sid; > } > if (security_info_sent & SECINFO_DACL) { >@@ -782,7 +791,33 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp, > > status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); > if (!NT_STATUS_IS_OK(status)) { >- return status; >+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { >+ return status; >+ } >+ /* We got access denied here. If we're already root, >+ or we didn't need to do a chown, or the fsp isn't >+ open with WRITE_OWNER access, just return. */ >+ if (get_current_uid(handle->conn) == 0 || >+ chown_needed == false || >+ !(fsp->access_mask & SEC_STD_WRITE_OWNER)) { >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ >+ DEBUG(10,("fset_nt_acl_common: overriding chown on file %s " >+ "for sid %s\n", >+ fsp_str_dbg(fsp), >+ sid_string_tos(psd->owner_sid) >+ )); >+ >+ /* Ok, we failed to chown and we have >+ SEC_STD_WRITE_OWNER access - override. */ >+ become_root(); >+ status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, >+ security_info_sent, psd); >+ unbecome_root(); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } > } > > /* Get the full underlying sd, then hash. */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7292">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 7933
:
7140
|
7141
|
7142
|
7143
|
7292
|
7384
|
7581
|
13652
|
13674
|
13675
|
13689
|
13690