From d6e35dc39117e629aa035ae060e7d25796316c77 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Oct 2012 09:21:17 -0700 Subject: [PATCH 1/6] Reformat spacing to be even. --- source3/smbd/posix_acls.c | 15 ++++++++------- 1 files changed, 8 insertions(+), 7 deletions(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 016acf4..531313b 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -1351,13 +1351,14 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano type. ****************************************************************************/ -static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace, - const struct share_params *params, - const bool is_directory, - const struct dom_sid *pfile_owner_sid, - const struct dom_sid *pfile_grp_sid, - const SMB_STRUCT_STAT *pst, - bool setting_acl) +static bool ensure_canon_entry_valid(connection_struct *conn, + canon_ace **pp_ace, + const struct share_params *params, + const bool is_directory, + const struct dom_sid *pfile_owner_sid, + const struct dom_sid *pfile_grp_sid, + const SMB_STRUCT_STAT *pst, + bool setting_acl) { canon_ace *pace; canon_ace *pace_user = NULL; -- 1.7.7.3 From c1ce91416fae6519b64aad36b8498040e02f12b2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Oct 2012 09:55:09 -0700 Subject: [PATCH 2/6] Use is_default_acl variable in canonicalise_acl(). --- source3/smbd/posix_acls.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 531313b..b74c1b2 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -2629,6 +2629,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, canon_ace *ace = NULL; canon_ace *next_ace = NULL; int entry_id = SMB_ACL_FIRST_ENTRY; + bool is_default_acl = (the_acl_type == SMB_ACL_TYPE_DEFAULT); SMB_ACL_ENTRY_T entry; size_t ace_count; @@ -2719,7 +2720,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, ace->trustee = sid; ace->unix_ug = unix_ug; ace->owner_type = owner_type; - ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT)); + ace->ace_flags = get_pai_flags(pal, ace, is_default_acl); DLIST_ADD(l_head, ace); } @@ -2738,7 +2739,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, * acl_mask. Ensure all DENY Entries are at the start of the list. */ - DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" )); + DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", is_default_acl ? "Default" : "Access")); for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) { next_ace = ace->next; -- 1.7.7.3 From 9ccf56aea9c5c1b89c4c459b40026302ddc92309 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Oct 2012 10:12:45 -0700 Subject: [PATCH 3/6] Only apply masks on non-default ACL entries when setting the ACL. --- source3/smbd/posix_acls.c | 28 +++++++++++++++++++--------- 1 files changed, 19 insertions(+), 9 deletions(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index b74c1b2..125234c 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -1353,6 +1353,7 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace, + bool is_default_acl, const struct share_params *params, const bool is_directory, const struct dom_sid *pfile_owner_sid, @@ -1368,8 +1369,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, for (pace = *pp_ace; pace; pace = pace->next) { if (pace->type == SMB_ACL_USER_OBJ) { - if (setting_acl) + if (setting_acl && !is_default_acl) { apply_default_perms(params, is_directory, pace, S_IRUSR); + } pace_user = pace; } else if (pace->type == SMB_ACL_GROUP_OBJ) { @@ -1378,8 +1380,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, * Ensure create mask/force create mode is respected on set. */ - if (setting_acl) + if (setting_acl && !is_default_acl) { apply_default_perms(params, is_directory, pace, S_IRGRP); + } pace_group = pace; } else if (pace->type == SMB_ACL_OTHER) { @@ -1388,8 +1391,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, * Ensure create mask/force create mode is respected on set. */ - if (setting_acl) + if (setting_acl && !is_default_acl) { apply_default_perms(params, is_directory, pace, S_IROTH); + } pace_other = pace; } } @@ -1438,7 +1442,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, pace->perms = pace_other->perms; } - apply_default_perms(params, is_directory, pace, S_IRUSR); + if (!is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IRUSR); + } } else { pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR); } @@ -1466,7 +1472,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, pace->perms = pace_other->perms; else pace->perms = 0; - apply_default_perms(params, is_directory, pace, S_IRGRP); + if (!is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IRGRP); + } } else { pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP); } @@ -1490,7 +1498,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, pace->attr = ALLOW_ACE; if (setting_acl) { pace->perms = 0; - apply_default_perms(params, is_directory, pace, S_IROTH); + if (!is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IROTH); + } } else pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH); @@ -2531,7 +2541,7 @@ static bool unpack_canon_ace(files_struct *fsp, print_canon_ace_list( "file ace - before valid", file_ace); - if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params, + if (!ensure_canon_entry_valid(fsp->conn, &file_ace, false, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { free_canon_ace_list(file_ace); free_canon_ace_list(dir_ace); @@ -2540,7 +2550,7 @@ static bool unpack_canon_ace(files_struct *fsp, print_canon_ace_list( "dir ace - before valid", dir_ace); - if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params, + if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, true, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { free_canon_ace_list(file_ace); free_canon_ace_list(dir_ace); @@ -2729,7 +2739,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, * This next call will ensure we have at least a user/group/world set. */ - if (!ensure_canon_entry_valid(conn, &l_head, conn->params, + if (!ensure_canon_entry_valid(conn, &l_head, is_default_acl, conn->params, S_ISDIR(psbuf->st_ex_mode), powner, pgroup, psbuf, False)) goto fail; -- 1.7.7.3 From 86d32250dedf8961f5fbee11290fd2e1bb437ae6 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Oct 2012 10:15:54 -0700 Subject: [PATCH 4/6] When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER and SMB_ACL_GROUP entries. --- source3/smbd/posix_acls.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 125234c..b00f1ec 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -1395,6 +1395,16 @@ static bool ensure_canon_entry_valid(connection_struct *conn, apply_default_perms(params, is_directory, pace, S_IROTH); } pace_other = pace; + + } else if (pace->type == SMB_ACL_USER || pace->type == SMB_ACL_GROUP) { + + /* + * Ensure create mask/force create mode is respected on set. + */ + + if (setting_acl && !is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IRGRP); + } } } -- 1.7.7.3 From c3042857fd8b9286be92d49b1e662225564931e4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 3 Oct 2012 14:49:01 -0700 Subject: [PATCH 5/6] Remove all uses of lp_security_mask/lp_force_security_mode/lp_dir_security_mask/lp_force_dir_security_mode and replace with the normal masks. Now these parameters can be removed. --- source3/smbd/posix_acls.c | 16 ++++++++-------- source3/smbd/trans2.c | 14 ++------------ 2 files changed, 10 insertions(+), 20 deletions(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index b00f1ec..503727f 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -1270,11 +1270,11 @@ static void apply_default_perms(const struct share_params *params, /* Get the initial bits to apply. */ if (is_directory) { - and_bits = lp_dir_security_mask(params->service); - or_bits = lp_force_dir_security_mode(params->service); + and_bits = lp_dir_mask(params->service); + or_bits = lp_force_dir_mode(params->service); } else { - and_bits = lp_security_mask(params->service); - or_bits = lp_force_security_mode(params->service); + and_bits = lp_create_mask(params->service); + or_bits = lp_force_create_mode(params->service); } /* Now bounce them into the S_USR space. */ @@ -3185,11 +3185,11 @@ static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file /* Get the initial bits to apply. */ if (fsp->is_directory) { - and_bits = lp_dir_security_mask(snum); - or_bits = lp_force_dir_security_mode(snum); + and_bits = lp_dir_mask(snum); + or_bits = lp_force_dir_mode(snum); } else { - and_bits = lp_security_mask(snum); - or_bits = lp_force_security_mode(snum); + and_bits = lp_create_mask(snum); + or_bits = lp_force_create_mode(snum); } *posix_perms = (((*posix_perms) & and_bits)|or_bits); diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 2bc85bf..90d07d4 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -1364,28 +1364,18 @@ static NTSTATUS unix_perms_from_wire( connection_struct *conn, switch (ptype) { case PERM_NEW_FILE: + case PERM_EXISTING_FILE: /* Apply mode mask */ ret &= lp_create_mask(SNUM(conn)); /* Add in force bits */ ret |= lp_force_create_mode(SNUM(conn)); break; case PERM_NEW_DIR: + case PERM_EXISTING_DIR: ret &= lp_dir_mask(SNUM(conn)); /* Add in force bits */ ret |= lp_force_dir_mode(SNUM(conn)); break; - case PERM_EXISTING_FILE: - /* Apply mode mask */ - ret &= lp_security_mask(SNUM(conn)); - /* Add in force bits */ - ret |= lp_force_security_mode(SNUM(conn)); - break; - case PERM_EXISTING_DIR: - /* Apply mode mask */ - ret &= lp_dir_security_mask(SNUM(conn)); - /* Add in force bits */ - ret |= lp_force_dir_security_mode(SNUM(conn)); - break; } *ret_perms = ret; -- 1.7.7.3 From 3cb1c3c8393e5c72bf7995418cecca0c4a1249d5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 3 Oct 2012 16:04:18 -0700 Subject: [PATCH 6/6] Remove the parameters: security mask force security mode directory mask force directory security mode and update the docs. --- docs-xml/smbdotconf/security/createmask.xml | 5 +-- docs-xml/smbdotconf/security/directorymask.xml | 8 ++-- .../smbdotconf/security/directorysecuritymask.xml | 32 ++--------------- docs-xml/smbdotconf/security/forcecreatemode.xml | 6 +++ .../smbdotconf/security/forcedirectorymode.xml | 6 +++ .../security/forcedirectorysecuritymode.xml | 38 ++----------------- docs-xml/smbdotconf/security/forcesecuritymode.xml | 38 +++----------------- docs-xml/smbdotconf/security/securitymask.xml | 33 ++--------------- examples/scripts/shares/python/smbparm.py | 4 -- lib/param/param_functions.c | 4 -- lib/param/param_table.c | 36 ------------------ source3/include/proto.h | 4 -- source3/param/loadparm.c | 4 -- 13 files changed, 33 insertions(+), 185 deletions(-) diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml index cf6864c..59e208d 100644 --- a/docs-xml/smbdotconf/security/createmask.xml +++ b/docs-xml/smbdotconf/security/createmask.xml @@ -28,9 +28,8 @@ - Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the - administrator wishes to enforce a mask on access control lists also, they need to set the . + New in Samba 4.0.0. This mask is applied whenever permissions are changed on a file. To allow clients full control + over permission changes it should be set to 0777. diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml index 7b67f79..2ebfc16 100644 --- a/docs-xml/smbdotconf/security/directorymask.xml +++ b/docs-xml/smbdotconf/security/directorymask.xml @@ -24,14 +24,14 @@ created from this parameter with the value of the parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added). - Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the . + + New in Samba 4.0.0. This mask is applied whenever permissions are changed on a directory. To allow clients full control + over permission changes it should be set to 0777. + force directory mode create mask -directory security mask inherit permissions 0755 0775 diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml index 5ed85ae..0bd5d93 100644 --- a/docs-xml/smbdotconf/security/directorysecuritymask.xml +++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml @@ -3,37 +3,11 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission bits - will be set when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog - box. - - This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting - any bits not in this mask. Make sure not to mix up this parameter with , which works similar like this one but uses logical OR instead of AND. - Essentially, zero bits in this mask are a set of bits that will always be set to zero. - - + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to mask + any permission bit changes on directories. - Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the - file permissions regardless of the previous status of this bits on the file. - - - If not set explicitly this parameter is set to 0777 - meaning a user is allowed to set all the user/group/world - permissions on a directory. - - Note that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it as the default of 0777. -force directory security mode -security mask -force security mode -0777 -0700 diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml index a3f1c2c..5a57a29 100644 --- a/docs-xml/smbdotconf/security/forcecreatemode.xml +++ b/docs-xml/smbdotconf/security/forcecreatemode.xml @@ -10,6 +10,12 @@ mode after the mask set in the create mask parameter is applied. + + New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever + permissions are changed on a file, not just when the file is created. + This replaces the now removed force security mode. + + The example below would force all newly created files to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'. diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml index 7effc0e..e5b37ea 100644 --- a/docs-xml/smbdotconf/security/forcedirectorymode.xml +++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml @@ -12,6 +12,12 @@ mask in the parameter directory mask is applied. + + New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever + permissions are changed on a directory, not just when the file is created. + This replaces the now removed force directory security mode. + + The example below would force all created directories to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'. diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml index 2c15ec2..01e5fe9 100644 --- a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml +++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml @@ -4,40 +4,10 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a directory using the native NT security dialog box. - - + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to + force any permission changes on directories to include specific UNIX + permission bits. - This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with , which works in a similar manner to this one, but uses a logical AND instead - of an OR. - - - - Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, - to will enable (1) any flags that are off (0) but which the mask has set to on (1). - - - - If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world - permissions on a directory without restrictions. - - - - Users who can access the Samba server through other means can easily bypass this restriction, so it is - primarily useful for standalone "appliance" systems. Administrators of most normal systems will - probably want to leave it set as 0000. - - - -0 -700 - -directory security mask -security mask -force security mode - diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml index 7451ef9..b6713b1 100644 --- a/docs-xml/smbdotconf/security/forcesecuritymode.xml +++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml @@ -4,38 +4,10 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog box. - - - - This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with , which works similar like this one but uses logical AND instead of OR. - - - - Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, - the user has always set to be on. - - - - If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world - permissions on a file, with no restrictions. - - - - Note that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most - normal systems will probably want to leave this set to 0000. - - + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to + force any permission changes on files to include specific UNIX + permission bits. + - -0 -700 - -force directory security mode -directory security mask -security mask diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml index 23bc280..d1e78be 100644 --- a/docs-xml/smbdotconf/security/securitymask.xml +++ b/docs-xml/smbdotconf/security/securitymask.xml @@ -4,36 +4,9 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the - UNIX permission on a file using the native NT security dialog box. - - - - This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting - any bits not in this mask. Make sure not to mix up this parameter with , which works in a manner similar to this one but uses a logical OR instead of an AND. - - - - Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the - file permissions regardless of the previous status of this bits on the file. - - - - If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file. + This parameter has been removed for Samba 4.0.0. The parameter + is now used instead to mask + any permission bit changes on files. - - - Note that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of - most normal systems will probably want to leave it set to 0777. - - -force directory security mode -directory security mask -force security mode - -0777 -0770 diff --git a/examples/scripts/shares/python/smbparm.py b/examples/scripts/shares/python/smbparm.py index 8dca781..f0bc1ec 100644 --- a/examples/scripts/shares/python/smbparm.py +++ b/examples/scripts/shares/python/smbparm.py @@ -89,7 +89,6 @@ parm_table = { "ROOTPREEXEC" : ("root preexec", SambaParmString, P_LOCAL, ""), "WRITEOK" : ("read only", SambaParmBoolRev, P_LOCAL, "Yes"), "MAXLOGSIZE" : ("max log size", SambaParmString, P_GLOBAL, "5000"), - "FORCESECURITYMODE" : ("force security mode", SambaParmString, P_LOCAL, "00"), "VFSOBJECT" : ("vfs objects", SambaParmString, P_LOCAL, ""), "CHECKPASSWORDSCRIPT" : ("check password script", SambaParmString, P_GLOBAL, ""), "DELETEPRINTERCOMMAND" : ("deleteprinter command", SambaParmString, P_GLOBAL, ""), @@ -102,7 +101,6 @@ parm_table = { "DOSFILEMODE" : ("dos filemode", SambaParmBool, P_LOCAL, "No"), "LOGFILE" : ("log file", SambaParmString, P_GLOBAL, ""), "WORKGROUP" : ("workgroup", SambaParmString, P_GLOBAL, "WORKGROUP"), - "DIRECTORYSECURITYMASK" : ("directory security mask", SambaParmString, P_LOCAL, "0777"), "ENCRYPTPASSWORDS" : ("encrypt passwords", SambaParmBool, P_GLOBAL, "Yes"), "PRINTABLE" : ("printable", SambaParmBool, P_LOCAL, "No"), "MAXPROTOCOL" : ("max protocol", SambaParmString, P_GLOBAL, "NT1"), @@ -147,7 +145,6 @@ parm_table = { "LEVEL2OPLOCKS" : ("level2 oplocks", SambaParmBool, P_LOCAL, "Yes"), "LARGEREADWRITE" : ("large readwrite", SambaParmBool, P_GLOBAL, "Yes"), "LDAPREPLICATIONSLEEP" : ("ldap replication sleep", SambaParmString, P_GLOBAL, "1000"), - "SECURITYMASK" : ("security mask", SambaParmString, P_LOCAL, "0777"), "LDAPUSERSUFFIX" : ("ldap user suffix", SambaParmString, P_GLOBAL, ""), "NETBIOSNAME" : ("netbios name", SambaParmString, P_GLOBAL, "PANTHER"), "LOCKSPINCOUNT" : ("lock spin count", SambaParmString, P_GLOBAL, "3"), @@ -184,7 +181,6 @@ parm_table = { "POSIXLOCKING" : ("posix locking", SambaParmBool, P_LOCAL, "Yes"), "INCLUDE" : ("include", SambaParmString, P_LOCAL, ""), "ALGORITHMICRIDBASE" : ("algorithmic rid base", SambaParmString, P_GLOBAL, "1000"), - "FORCEDIRECTORYSECURITYMODE": ("force directory security mode", SambaParmString, P_LOCAL, "00"), "ANNOUNCEVERSION" : ("announce version", SambaParmString, P_GLOBAL, "4.9"), "USERNAMEMAP" : ("username map", SambaParmString, P_GLOBAL, ""), "MANGLEDNAMES" : ("mangled names", SambaParmBool, P_LOCAL, "Yes"), diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c index ce2f671..d5cd018 100644 --- a/lib/param/param_functions.c +++ b/lib/param/param_functions.c @@ -134,10 +134,6 @@ FN_LOCAL_BOOL(afs_share, bAfs_Share) FN_LOCAL_BOOL(acl_check_permissions, bAclCheckPermissions) FN_LOCAL_BOOL(acl_group_control, bAclGroupControl) FN_LOCAL_BOOL(acl_map_full_control, bAclMapFullControl) -FN_LOCAL_INTEGER(security_mask, iSecurity_mask) -FN_LOCAL_INTEGER(force_security_mode, iSecurity_force_mode) -FN_LOCAL_INTEGER(dir_security_mask, iDir_Security_mask) -FN_LOCAL_INTEGER(force_dir_security_mode, iDir_Security_force_mode) FN_LOCAL_INTEGER(defaultcase, iDefaultCase) FN_LOCAL_INTEGER(minprintspace, iMinPrintSpace) FN_LOCAL_INTEGER(printing, iPrinting) diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 325f295..01f65fe 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -957,24 +957,6 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, }, { - .label = "security mask", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iSecurity_mask), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { - .label = "force security mode", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iSecurity_force_mode), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { .label = "directory mask", .type = P_OCTAL, .p_class = P_LOCAL, @@ -1002,24 +984,6 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, }, { - .label = "directory security mask", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iDir_Security_mask), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { - .label = "force directory security mode", - .type = P_OCTAL, - .p_class = P_LOCAL, - .offset = LOCAL_VAR(iDir_Security_force_mode), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, - }, - { .label = "force unknown acl user", .type = P_BOOL, .p_class = P_LOCAL, diff --git a/source3/include/proto.h b/source3/include/proto.h index b3fa55a..ac3d205 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1330,12 +1330,8 @@ bool lp_acl_map_full_control(int ); bool lp_durable_handles(int); int lp_create_mask(int ); int lp_force_create_mode(int ); -int lp_security_mask(int ); -int lp_force_security_mode(int ); int lp_dir_mask(int ); int lp_force_dir_mode(int ); -int lp_dir_security_mask(int ); -int lp_force_dir_security_mode(int ); int lp_max_connections(int ); int lp_defaultcase(int ); int lp_minprintspace(int ); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 61606ce..42bf11d 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -191,12 +191,8 @@ static struct loadparm_service sDefault = .iWriteCacheSize = 0, .iCreate_mask = 0744, .iCreate_force_mode = 0, - .iSecurity_mask = 0777, - .iSecurity_force_mode = 0, .iDir_mask = 0755, .iDir_force_mode = 0, - .iDir_Security_mask = 0777, - .iDir_Security_force_mode = 0, .iMaxConnections = 0, .iDefaultCase = CASE_LOWER, .iPrinting = DEFAULT_PRINTING, -- 1.7.7.3