The Samba-Bugzilla – Attachment 7980 Details for
Bug 9236
ACL masks incorrectly applied when setting ACLs.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 3.6.next.
look (text/plain), 8.39 KB, created by
Jeremy Allison
on 2012-10-02 19:21:48 UTC
(
hide
)
Description:
git-am fix for 3.6.next.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2012-10-02 19:21:48 UTC
Size:
8.39 KB
patch
obsolete
>From 33296b9d303cd24dd18f925fd39c4f35d9fe7ddf Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 09:21:17 -0700 >Subject: [PATCH 1/4] Reformat spacing to be even. (cherry picked from commit > efb446a38cca448855977666499603d12e1477b4) > >--- > source3/smbd/posix_acls.c | 15 ++++++++------- > 1 files changed, 8 insertions(+), 7 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index 34747d3..efe0c72 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -1353,13 +1353,14 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano > type. > ****************************************************************************/ > >-static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace, >- const struct share_params *params, >- const bool is_directory, >- const struct dom_sid *pfile_owner_sid, >- const struct dom_sid *pfile_grp_sid, >- const SMB_STRUCT_STAT *pst, >- bool setting_acl) >+static bool ensure_canon_entry_valid(connection_struct *conn, >+ canon_ace **pp_ace, >+ const struct share_params *params, >+ const bool is_directory, >+ const struct dom_sid *pfile_owner_sid, >+ const struct dom_sid *pfile_grp_sid, >+ const SMB_STRUCT_STAT *pst, >+ bool setting_acl) > { > canon_ace *pace; > bool got_user = False; >-- >1.7.7.3 > > >From 6d35581e8dee44b647b103708b0b41be2764115b Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 09:55:09 -0700 >Subject: [PATCH 2/4] Use is_default_acl variable in canonicalise_acl(). > (cherry picked from commit > 82e7132bdf7c9d4ddead3cd5d845bfe68b93448b) > >--- > source3/smbd/posix_acls.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index efe0c72..8627a62 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -2429,6 +2429,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, > canon_ace *ace = NULL; > canon_ace *next_ace = NULL; > int entry_id = SMB_ACL_FIRST_ENTRY; >+ bool is_default_acl = (the_acl_type == SMB_ACL_TYPE_DEFAULT); > SMB_ACL_ENTRY_T entry; > size_t ace_count; > >@@ -2516,7 +2517,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, > ace->trustee = sid; > ace->unix_ug = unix_ug; > ace->owner_type = owner_type; >- ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT)); >+ ace->ace_flags = get_pai_flags(pal, ace, is_default_acl); > > DLIST_ADD(l_head, ace); > } >@@ -2535,7 +2536,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, > * acl_mask. Ensure all DENY Entries are at the start of the list. > */ > >- DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" )); >+ DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", is_default_acl ? "Default" : "Access")); > > for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) { > next_ace = ace->next; >-- >1.7.7.3 > > >From 69fb1d56e12b83d9a60fed5dd8cad75adec2e526 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 12:21:10 -0700 >Subject: [PATCH 3/4] Only apply masks on non-default ACL entries when setting > the ACL. > >--- > source3/smbd/posix_acls.c | 28 +++++++++++++++++++--------- > 1 files changed, 19 insertions(+), 9 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index 8627a62..09d6bec 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -1355,6 +1355,7 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano > > static bool ensure_canon_entry_valid(connection_struct *conn, > canon_ace **pp_ace, >+ bool is_default_acl, > const struct share_params *params, > const bool is_directory, > const struct dom_sid *pfile_owner_sid, >@@ -1371,8 +1372,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > for (pace = *pp_ace; pace; pace = pace->next) { > if (pace->type == SMB_ACL_USER_OBJ) { > >- if (setting_acl) >+ if (setting_acl && !is_default_acl) { > apply_default_perms(params, is_directory, pace, S_IRUSR); >+ } > got_user = True; > > } else if (pace->type == SMB_ACL_GROUP_OBJ) { >@@ -1381,8 +1383,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > * Ensure create mask/force create mode is respected on set. > */ > >- if (setting_acl) >+ if (setting_acl && !is_default_acl) { > apply_default_perms(params, is_directory, pace, S_IRGRP); >+ } > got_grp = True; > > } else if (pace->type == SMB_ACL_OTHER) { >@@ -1391,8 +1394,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > * Ensure create mask/force create mode is respected on set. > */ > >- if (setting_acl) >+ if (setting_acl && !is_default_acl) { > apply_default_perms(params, is_directory, pace, S_IROTH); >+ } > got_other = True; > pace_other = pace; > } >@@ -1438,7 +1442,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > pace->perms = pace_other->perms; > } > >- apply_default_perms(params, is_directory, pace, S_IRUSR); >+ if (!is_default_acl) { >+ apply_default_perms(params, is_directory, pace, S_IRUSR); >+ } > } else { > pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR); > } >@@ -1464,7 +1470,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > pace->perms = pace_other->perms; > else > pace->perms = 0; >- apply_default_perms(params, is_directory, pace, S_IRGRP); >+ if (!is_default_acl) { >+ apply_default_perms(params, is_directory, pace, S_IRGRP); >+ } > } else { > pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP); > } >@@ -1486,7 +1494,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > pace->attr = ALLOW_ACE; > if (setting_acl) { > pace->perms = 0; >- apply_default_perms(params, is_directory, pace, S_IROTH); >+ if (!is_default_acl) { >+ apply_default_perms(params, is_directory, pace, S_IROTH); >+ } > } else > pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH); > >@@ -2331,7 +2341,7 @@ static bool unpack_canon_ace(files_struct *fsp, > > print_canon_ace_list( "file ace - before valid", file_ace); > >- if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params, >+ if (!ensure_canon_entry_valid(fsp->conn, &file_ace, false, fsp->conn->params, > fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { > free_canon_ace_list(file_ace); > free_canon_ace_list(dir_ace); >@@ -2340,7 +2350,7 @@ static bool unpack_canon_ace(files_struct *fsp, > > print_canon_ace_list( "dir ace - before valid", dir_ace); > >- if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params, >+ if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, true, fsp->conn->params, > fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { > free_canon_ace_list(file_ace); > free_canon_ace_list(dir_ace); >@@ -2526,7 +2536,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, > * This next call will ensure we have at least a user/group/world set. > */ > >- if (!ensure_canon_entry_valid(conn, &l_head, conn->params, >+ if (!ensure_canon_entry_valid(conn, &l_head, is_default_acl, conn->params, > S_ISDIR(psbuf->st_ex_mode), powner, pgroup, > psbuf, False)) > goto fail; >-- >1.7.7.3 > > >From cd15da0736ea5adf91b40549525f721a0abcc5a4 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 10:15:54 -0700 >Subject: [PATCH 4/4] When setting a non-default ACL, don't forget to apply > masks to SMB_ACL_USER and SMB_ACL_GROUP entries. > (cherry picked from commit > 6575d1d34fee45c7a965c7c9641cc52b566a9e7f) > >--- > source3/smbd/posix_acls.c | 10 ++++++++++ > 1 files changed, 10 insertions(+), 0 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index 09d6bec..22ad40f 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -1399,6 +1399,16 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > } > got_other = True; > pace_other = pace; >+ >+ } else if (pace->type == SMB_ACL_USER || pace->type == SMB_ACL_GROUP) { >+ >+ /* >+ * Ensure create mask/force create mode is respected on set. >+ */ >+ >+ if (setting_acl && !is_default_acl) { >+ apply_default_perms(params, is_directory, pace, S_IRGRP); >+ } > } > } > >-- >1.7.7.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7980">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 9236
: 7980 |
7981
|
8169
|
8170
|
8171