Only apply masks on non-default ACL entries when setting the ACL.

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 8627a62b79af88fdf07a333755df48bcc3883475..09d6becf638b4aac599f53e1646183773beee28d 100644 (file)
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1355,6 +1355,7 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano
 
 static bool ensure_canon_entry_valid(connection_struct *conn,
                                        canon_ace **pp_ace,
+                                       bool is_default_acl,
                                        const struct share_params *params,
                                        const bool is_directory,
                                        const struct dom_sid *pfile_owner_sid,
@@ -1371,8 +1372,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
        for (pace = *pp_ace; pace; pace = pace->next) {
                if (pace->type == SMB_ACL_USER_OBJ) {
 
-                       if (setting_acl)
+                       if (setting_acl && !is_default_acl) {
                                apply_default_perms(params, is_directory, pace, S_IRUSR);
+                       }
                        got_user = True;
 
                } else if (pace->type == SMB_ACL_GROUP_OBJ) {
@@ -1381,8 +1383,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
                         * Ensure create mask/force create mode is respected on set.
                         */
 
-                       if (setting_acl)
+                       if (setting_acl && !is_default_acl) {
                                apply_default_perms(params, is_directory, pace, S_IRGRP);
+                       }
                        got_grp = True;
 
                } else if (pace->type == SMB_ACL_OTHER) {
@@ -1391,8 +1394,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
                         * Ensure create mask/force create mode is respected on set.
                         */
 
-                       if (setting_acl)
+                       if (setting_acl && !is_default_acl) {
                                apply_default_perms(params, is_directory, pace, S_IROTH);
+                       }
                        got_other = True;
                        pace_other = pace;
                }
@@ -1438,7 +1442,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
                                        pace->perms = pace_other->perms;
                        }
 
-                       apply_default_perms(params, is_directory, pace, S_IRUSR);
+                       if (!is_default_acl) {
+                               apply_default_perms(params, is_directory, pace, S_IRUSR);
+                       }
                } else {
                        pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
                }
@@ -1464,7 +1470,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
                                pace->perms = pace_other->perms;
                        else
                                pace->perms = 0;
-                       apply_default_perms(params, is_directory, pace, S_IRGRP);
+                       if (!is_default_acl) {
+                               apply_default_perms(params, is_directory, pace, S_IRGRP);
+                       }
                } else {
                        pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
                }
@@ -1486,7 +1494,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
                pace->attr = ALLOW_ACE;
                if (setting_acl) {
                        pace->perms = 0;
-                       apply_default_perms(params, is_directory, pace, S_IROTH);
+                       if (!is_default_acl) {
+                               apply_default_perms(params, is_directory, pace, S_IROTH);
+                       }
                } else
                        pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
 
@@ -2331,7 +2341,7 @@ static bool unpack_canon_ace(files_struct *fsp,
 
        print_canon_ace_list( "file ace - before valid", file_ace);
 
-       if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params,
+       if (!ensure_canon_entry_valid(fsp->conn, &file_ace, false, fsp->conn->params,
                        fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
                free_canon_ace_list(file_ace);
                free_canon_ace_list(dir_ace);
@@ -2340,7 +2350,7 @@ static bool unpack_canon_ace(files_struct *fsp,
 
        print_canon_ace_list( "dir ace - before valid", dir_ace);
 
-       if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params,
+       if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, true, fsp->conn->params,
                        fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
                free_canon_ace_list(file_ace);
                free_canon_ace_list(dir_ace);
@@ -2526,7 +2536,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
         * This next call will ensure we have at least a user/group/world set.
         */
 
-       if (!ensure_canon_entry_valid(conn, &l_head, conn->params,
+       if (!ensure_canon_entry_valid(conn, &l_head, is_default_acl, conn->params,
                                      S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
                                      psbuf, False))
                goto fail;