From 33296b9d303cd24dd18f925fd39c4f35d9fe7ddf Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Oct 2012 09:21:17 -0700 Subject: [PATCH 1/4] Reformat spacing to be even. (cherry picked from commit efb446a38cca448855977666499603d12e1477b4) --- source3/smbd/posix_acls.c | 15 ++++++++------- 1 files changed, 8 insertions(+), 7 deletions(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 34747d3..efe0c72 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -1353,13 +1353,14 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano type. ****************************************************************************/ -static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace, - const struct share_params *params, - const bool is_directory, - const struct dom_sid *pfile_owner_sid, - const struct dom_sid *pfile_grp_sid, - const SMB_STRUCT_STAT *pst, - bool setting_acl) +static bool ensure_canon_entry_valid(connection_struct *conn, + canon_ace **pp_ace, + const struct share_params *params, + const bool is_directory, + const struct dom_sid *pfile_owner_sid, + const struct dom_sid *pfile_grp_sid, + const SMB_STRUCT_STAT *pst, + bool setting_acl) { canon_ace *pace; bool got_user = False; -- 1.7.7.3 From 6d35581e8dee44b647b103708b0b41be2764115b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Oct 2012 09:55:09 -0700 Subject: [PATCH 2/4] Use is_default_acl variable in canonicalise_acl(). (cherry picked from commit 82e7132bdf7c9d4ddead3cd5d845bfe68b93448b) --- source3/smbd/posix_acls.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index efe0c72..8627a62 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -2429,6 +2429,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, canon_ace *ace = NULL; canon_ace *next_ace = NULL; int entry_id = SMB_ACL_FIRST_ENTRY; + bool is_default_acl = (the_acl_type == SMB_ACL_TYPE_DEFAULT); SMB_ACL_ENTRY_T entry; size_t ace_count; @@ -2516,7 +2517,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, ace->trustee = sid; ace->unix_ug = unix_ug; ace->owner_type = owner_type; - ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT)); + ace->ace_flags = get_pai_flags(pal, ace, is_default_acl); DLIST_ADD(l_head, ace); } @@ -2535,7 +2536,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, * acl_mask. Ensure all DENY Entries are at the start of the list. */ - DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" )); + DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", is_default_acl ? "Default" : "Access")); for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) { next_ace = ace->next; -- 1.7.7.3 From 69fb1d56e12b83d9a60fed5dd8cad75adec2e526 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Oct 2012 12:21:10 -0700 Subject: [PATCH 3/4] Only apply masks on non-default ACL entries when setting the ACL. --- source3/smbd/posix_acls.c | 28 +++++++++++++++++++--------- 1 files changed, 19 insertions(+), 9 deletions(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 8627a62..09d6bec 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -1355,6 +1355,7 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace, + bool is_default_acl, const struct share_params *params, const bool is_directory, const struct dom_sid *pfile_owner_sid, @@ -1371,8 +1372,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, for (pace = *pp_ace; pace; pace = pace->next) { if (pace->type == SMB_ACL_USER_OBJ) { - if (setting_acl) + if (setting_acl && !is_default_acl) { apply_default_perms(params, is_directory, pace, S_IRUSR); + } got_user = True; } else if (pace->type == SMB_ACL_GROUP_OBJ) { @@ -1381,8 +1383,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, * Ensure create mask/force create mode is respected on set. */ - if (setting_acl) + if (setting_acl && !is_default_acl) { apply_default_perms(params, is_directory, pace, S_IRGRP); + } got_grp = True; } else if (pace->type == SMB_ACL_OTHER) { @@ -1391,8 +1394,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, * Ensure create mask/force create mode is respected on set. */ - if (setting_acl) + if (setting_acl && !is_default_acl) { apply_default_perms(params, is_directory, pace, S_IROTH); + } got_other = True; pace_other = pace; } @@ -1438,7 +1442,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, pace->perms = pace_other->perms; } - apply_default_perms(params, is_directory, pace, S_IRUSR); + if (!is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IRUSR); + } } else { pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR); } @@ -1464,7 +1470,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, pace->perms = pace_other->perms; else pace->perms = 0; - apply_default_perms(params, is_directory, pace, S_IRGRP); + if (!is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IRGRP); + } } else { pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP); } @@ -1486,7 +1494,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, pace->attr = ALLOW_ACE; if (setting_acl) { pace->perms = 0; - apply_default_perms(params, is_directory, pace, S_IROTH); + if (!is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IROTH); + } } else pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH); @@ -2331,7 +2341,7 @@ static bool unpack_canon_ace(files_struct *fsp, print_canon_ace_list( "file ace - before valid", file_ace); - if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params, + if (!ensure_canon_entry_valid(fsp->conn, &file_ace, false, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { free_canon_ace_list(file_ace); free_canon_ace_list(dir_ace); @@ -2340,7 +2350,7 @@ static bool unpack_canon_ace(files_struct *fsp, print_canon_ace_list( "dir ace - before valid", dir_ace); - if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params, + if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, true, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { free_canon_ace_list(file_ace); free_canon_ace_list(dir_ace); @@ -2526,7 +2536,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, * This next call will ensure we have at least a user/group/world set. */ - if (!ensure_canon_entry_valid(conn, &l_head, conn->params, + if (!ensure_canon_entry_valid(conn, &l_head, is_default_acl, conn->params, S_ISDIR(psbuf->st_ex_mode), powner, pgroup, psbuf, False)) goto fail; -- 1.7.7.3 From cd15da0736ea5adf91b40549525f721a0abcc5a4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Oct 2012 10:15:54 -0700 Subject: [PATCH 4/4] When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER and SMB_ACL_GROUP entries. (cherry picked from commit 6575d1d34fee45c7a965c7c9641cc52b566a9e7f) --- source3/smbd/posix_acls.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 09d6bec..22ad40f 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -1399,6 +1399,16 @@ static bool ensure_canon_entry_valid(connection_struct *conn, } got_other = True; pace_other = pace; + + } else if (pace->type == SMB_ACL_USER || pace->type == SMB_ACL_GROUP) { + + /* + * Ensure create mask/force create mode is respected on set. + */ + + if (setting_acl && !is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IRGRP); + } } } -- 1.7.7.3