From f6daedfa55c5f6beb677b0d150c68606f46bc3f9 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 16 Apr 2012 18:04:51 -0700
Subject: [PATCH 1/2] Fix incorrect debug - parent_name is never set !

---
 source3/modules/vfs_acl_common.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index fe4c822..6b2d244 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -574,7 +574,6 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle,
 				uint32_t access_mask,
 				struct security_descriptor **pp_parent_desc)
 {
-	char *parent_name = NULL;
 	struct security_descriptor *parent_desc = NULL;
 	uint32_t access_granted = 0;
 	NTSTATUS status;
@@ -593,9 +592,8 @@ static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle,
 					&access_granted);
 	if(!NT_STATUS_IS_OK(status)) {
 		DEBUG(10,("check_parent_acl_common: access check "
-			"on directory %s for "
+			"on parent directory of "
 			"path %s for mask 0x%x returned %s\n",
-			parent_name,
 			path,
 			access_mask,
 			nt_errstr(status) ));
-- 
1.7.7.3


From 9cb4b765c1a6aa739e3c3279e05f312d38282081 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 16 Apr 2012 18:17:25 -0700
Subject: [PATCH 2/2] Bugfix for #8857 - Setting traverse rights fails to
 enable directory traversal when acl_xattr in use.

We were incorrectly checking the parent directory ACL, instead
of the ACL of the directory we're trying to open.
---
 source3/modules/vfs_acl_common.c |   35 +++++++++++++++++++++++++++++++++--
 1 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 6b2d244..6cc7f09 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -828,13 +828,44 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
 static SMB_STRUCT_DIR *opendir_acl_common(vfs_handle_struct *handle,
 			const char *fname, const char *mask, uint32 attr)
 {
-	NTSTATUS status = check_parent_acl_common(handle, fname,
-					SEC_DIR_LIST, NULL);
+	NTSTATUS status;
+	uint32_t access_granted = 0;
+	struct security_descriptor *sd = NULL;
+
+	status = get_nt_acl_internal(handle,
+				NULL,
+				fname,
+				(SECINFO_OWNER |
+				 SECINFO_GROUP |
+				 SECINFO_DACL  |
+				 SECINFO_SACL),
+				&sd);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10,("opendir_acl_common: "
+			"get_nt_acl_internal for dir %s "
+			"failed with error %s\n",
+			fname,
+			nt_errstr(status) ));
+		errno = map_errno_from_nt_status(status);
+		return NULL;
+	}
 
+	/* See if we can access it. */
+	status = smb1_file_se_access_check(handle->conn,
+				sd,
+				get_current_nttok(handle->conn),
+				SEC_DIR_LIST,
+				&access_granted);
 	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10,("opendir_acl_common: %s open "
+			"for access SEC_DIR_LIST "
+			"refused with error %s\n",
+			fname,
+			nt_errstr(status) ));
 		errno = map_errno_from_nt_status(status);
 		return NULL;
 	}
+
 	return SMB_VFS_NEXT_OPENDIR(handle, fname, mask, attr);
 }
 
-- 
1.7.7.3