From cf9e68ccf95adfa117404aafebc78c77ab621860 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 4 Dec 2012 15:41:21 -0800
Subject: [PATCH 1/4] Add in accessor functions to facilitate a layer
 violation.

Part of fix for bug #9462 - Users can not be given write permissions any more by default
---
 source3/smbd/globals.c |   13 +++++++++++++
 source3/smbd/globals.h |    3 +++
 2 files changed, 16 insertions(+), 0 deletions(-)

diff --git a/source3/smbd/globals.c b/source3/smbd/globals.c
index 3eb65a1..a0ff31e 100644
--- a/source3/smbd/globals.c
+++ b/source3/smbd/globals.c
@@ -116,3 +116,16 @@ void smbd_init_globals(void)
 
 	ZERO_STRUCT(sec_ctx_stack);
 }
+
+static bool create_in_progress = false;
+
+/* Accessor functions for layer violation. This sucks... JRA. */
+void set_create_in_progress(bool val)
+{
+	create_in_progress = val;
+}
+
+bool is_create_in_progress(void)
+{
+	return create_in_progress;
+}
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 0d0ebcd..ae67384 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -791,3 +791,6 @@ struct smbd_server_connection {
 extern struct smbXsrv_connection *global_smbXsrv_connection;
 
 void smbd_init_globals(void);
+
+void set_create_in_progress(bool val);
+bool is_create_in_progress(void);
-- 
1.7.7.3


From 127f3e2e5af83699b085ee0d0378f8a6416cea6b Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 4 Dec 2012 15:42:29 -0800
Subject: [PATCH 2/4] Ensure we let the lower layer know this is a create in
 progress so it can calculate the correct unix
 permission masks.

Part of fix for bug #9462 - Users can not be given write permissions any more by default
---
 source3/smbd/open.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index c5529ec..9908b4b 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3612,9 +3612,11 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
 		/* We need to be root to force this. */
 		become_root();
 	}
+	set_create_in_progress(true);
 	status = SMB_VFS_FSET_NT_ACL(fsp,
 			security_info_sent,
 			psd);
+	set_create_in_progress(false);
 	if (inherit_owner) {
 		unbecome_root();
 	}
-- 
1.7.7.3


From 4d036dd3fc934eb36b72beb9ac66f8d063da7b32 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 4 Dec 2012 15:46:14 -0800
Subject: [PATCH 3/4] Change behavior of apply_default_perms() if we're in a
 create call.

Part of fix for bug #9462 - Users can not be given write permissions any more by default
---
 source3/smbd/posix_acls.c |   20 +++++++++++---------
 1 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 4e93fef..97b10b5 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -28,6 +28,7 @@
 #include "auth.h"
 #include "../librpc/gen_ndr/idmap.h"
 #include "lib/param/loadparm.h"
+#include "smbd/globals.h"
 
 extern const struct generic_mapping file_generic_mapping;
 
@@ -1243,17 +1244,18 @@ static void apply_default_perms(const struct share_params *params,
 				const bool is_directory, canon_ace *pace,
 				mode_t type)
 {
-	mode_t and_bits = (mode_t)0;
+	/* The initial bits to apply (no restrictions). */
+	mode_t and_bits = (mode_t)-1;
 	mode_t or_bits = (mode_t)0;
 
-	/* Get the initial bits to apply. */
-
-	if (is_directory) {
-		and_bits = lp_dir_mask(params->service);
-		or_bits = lp_force_dir_mode(params->service);
-	} else {
-		and_bits = lp_create_mask(params->service);
-		or_bits = lp_force_create_mode(params->service);
+	if (is_create_in_progress()) {
+		if (is_directory) {
+			and_bits = lp_dir_mask(params->service);
+			or_bits = lp_force_dir_mode(params->service);
+		} else {
+			and_bits = lp_create_mask(params->service);
+			or_bits = lp_force_create_mode(params->service);
+		}
 	}
 
 	/* Now bounce them into the S_USR space. */	
-- 
1.7.7.3


From 4abc2395ddb57433188ab3b6cc0e033d79ab0e5d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 4 Dec 2012 15:47:06 -0800
Subject: [PATCH 4/4] Documentation fixes for bug #9462 - Users can not be
 given write permissions any more by default

Ensure we don't apply the masks + force modes on security setting
changes, only on create.
---
 docs-xml/smbdotconf/security/createmask.xml        |    5 -----
 docs-xml/smbdotconf/security/directorymask.xml     |    5 -----
 .../smbdotconf/security/directorysecuritymask.xml  |    4 +---
 docs-xml/smbdotconf/security/forcecreatemode.xml   |    6 ------
 .../smbdotconf/security/forcedirectorymode.xml     |    6 ------
 .../security/forcedirectorysecuritymode.xml        |    5 +----
 docs-xml/smbdotconf/security/forcesecuritymode.xml |    5 +----
 docs-xml/smbdotconf/security/securitymask.xml      |    4 +---
 8 files changed, 4 insertions(+), 36 deletions(-)

diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml
index 59e208d..5df0718 100644
--- a/docs-xml/smbdotconf/security/createmask.xml
+++ b/docs-xml/smbdotconf/security/createmask.xml
@@ -26,11 +26,6 @@
 	This parameter does not affect directory masks. See the parameter <smbconfoption name="directory mask"/>
 	for details.
 	</para>
-
-    <para>
-	New in Samba 4.0.0. This mask is applied whenever permissions are changed on a file. To allow clients full control
-	over permission changes it should be set to 0777.
-	</para>
 </description>
 
 <related>force create mode</related>
diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml
index 2ebfc16..b17625c 100644
--- a/docs-xml/smbdotconf/security/directorymask.xml
+++ b/docs-xml/smbdotconf/security/directorymask.xml
@@ -23,11 +23,6 @@
     <para>Following this Samba will bit-wise 'OR' the UNIX mode 
     created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter. 
     This parameter is set to 000 by default (i.e. no extra mode bits are added).</para>
-
-    <para>
-    New in Samba 4.0.0. This mask is applied whenever permissions are changed on a directory. To allow clients full control
-    over permission changes it should be set to 0777.
-    </para>
 </description>
 
 <related>force directory mode</related>
diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml
index c5c8c65..ad208f4 100644
--- a/docs-xml/smbdotconf/security/directorysecuritymask.xml
+++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml
@@ -5,9 +5,7 @@
 		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-	This parameter has been removed for Samba 4.0.0. The parameter
-	<smbconfoption name="directory mask"/> is now used instead to mask
-	any permission bit changes on directories.
+	This parameter has been removed for Samba 4.0.0.
     </para>
 </description>
 
diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml
index 5a57a29..a3f1c2c 100644
--- a/docs-xml/smbdotconf/security/forcecreatemode.xml
+++ b/docs-xml/smbdotconf/security/forcecreatemode.xml
@@ -10,12 +10,6 @@
     mode after the mask set in the <parameter moreinfo="none">create mask</parameter>
     parameter is applied.</para>
 
-    <para>
-    New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever
-    permissions are changed on a file, not just when the file is created.
-    This replaces the now removed <parameter moreinfo="none">force security mode</parameter>.
-    </para>
-
     <para>The example below would force all newly created files to have read and execute
     permissions set for 'group' and 'other' as well as the
     read/write/execute bits set for the 'user'.</para>
diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml
index e5b37ea..7effc0e 100644
--- a/docs-xml/smbdotconf/security/forcedirectorymode.xml
+++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml
@@ -12,12 +12,6 @@
     mask in the parameter <parameter moreinfo="none">directory mask</parameter> is 
     applied.</para>
 
-    <para>
-    New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever
-    permissions are changed on a directory, not just when the file is created.
-    This replaces the now removed <parameter moreinfo="none">force directory security mode</parameter>.
-    </para>
-
 	<para>The example below would force all created directories to have read and execute
     permissions set for 'group' and 'other' as well as the
     read/write/execute bits set for the 'user'.</para>
diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
index 3ea3b5c..a45395d 100644
--- a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
+++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
@@ -5,10 +5,7 @@
 		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-	This parameter has been removed for Samba 4.0.0. The parameter
-	<smbconfoption name="force directory mode"/> is now used instead to
-	force any permission changes on directories to include specific UNIX
-	permission bits.
+	This parameter has been removed for Samba 4.0.0.
     </para>
 </description>
 </samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml
index 2568bcc..5a9479e 100644
--- a/docs-xml/smbdotconf/security/forcesecuritymode.xml
+++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml
@@ -5,10 +5,7 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-	This parameter has been removed for Samba 4.0.0. The parameter
-	<smbconfoption name="force create mode"/> is now used instead to
-	force any permission changes on files to include specific UNIX
-	permission bits.
+	This parameter has been removed for Samba 4.0.0.
     </para>
 </description>
 </samba:parameter>
diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml
index cb7fcfa..e535d32 100644
--- a/docs-xml/smbdotconf/security/securitymask.xml
+++ b/docs-xml/smbdotconf/security/securitymask.xml
@@ -5,9 +5,7 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-	This parameter has been removed for Samba 4.0.0. The parameter
-	<smbconfoption name="create mask"/> is now used instead to mask
-	any permission bit changes on files.
+	This parameter has been removed for Samba 4.0.0.
     </para>
 </description>
 </samba:parameter>
-- 
1.7.7.3