From: Jeremy Allison Date: Tue, 22 Nov 2011 20:33:54 +0000 (-0800) Subject: Remove the setting of the inherited ACL on new files/directories. This is X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=7ef4d08a98870a84ac6e60c194a0fcd47ebe00e8;p=kai%2Fsamba.git Remove the setting of the inherited ACL on new files/directories. This is now done correctly in the main codepath. The vfs_acl_XXXX modules are now thin shims that simply store/retrieve ACLs as they should be. --- diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index aebf0aeedd1..799de98520d 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -444,126 +444,6 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle, return NT_STATUS_OK; } -/********************************************************************* - Create a default ACL by inheriting from the parent. If no inheritance - from the parent available, don't set anything. This will leave the actual - permissions the new file or directory already got from the filesystem - as the NT ACL when read. -*********************************************************************/ - -static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, - files_struct *fsp, - struct security_descriptor *parent_desc, - bool is_directory) -{ - TALLOC_CTX *ctx = talloc_tos(); - NTSTATUS status = NT_STATUS_OK; - struct security_descriptor *psd = NULL; - struct dom_sid *owner_sid = NULL; - struct dom_sid *group_sid = NULL; - uint32_t security_info_sent = (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL); - bool inherit_owner = lp_inherit_owner(SNUM(handle->conn)); - bool inheritable_components = sd_has_inheritable_components(parent_desc, - is_directory); - size_t size; - - if (!inheritable_components && !inherit_owner) { - /* Nothing to inherit and not setting owner. */ - return NT_STATUS_OK; - } - - /* Create an inherited descriptor from the parent. */ - - if (DEBUGLEVEL >= 10) { - DEBUG(10,("inherit_new_acl: parent acl for %s is:\n", - fsp_str_dbg(fsp) )); - NDR_PRINT_DEBUG(security_descriptor, parent_desc); - } - - /* Inherit from parent descriptor if "inherit owner" set. */ - if (inherit_owner) { - owner_sid = parent_desc->owner_sid; - group_sid = parent_desc->group_sid; - } - - if (owner_sid == NULL) { - owner_sid = &handle->conn->session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; - } - if (group_sid == NULL) { - group_sid = &handle->conn->session_info->security_token->sids[PRIMARY_GROUP_SID_INDEX]; - } - - status = se_create_child_secdesc(ctx, - &psd, - &size, - parent_desc, - owner_sid, - group_sid, - is_directory); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - /* If inheritable_components == false, - se_create_child_secdesc() - creates a security desriptor with a NULL dacl - entry, but with SEC_DESC_DACL_PRESENT. We need - to remove that flag. */ - - if (!inheritable_components) { - security_info_sent &= ~SECINFO_DACL; - psd->type &= ~SEC_DESC_DACL_PRESENT; - } - - if (DEBUGLEVEL >= 10) { - DEBUG(10,("inherit_new_acl: child acl for %s is:\n", - fsp_str_dbg(fsp) )); - NDR_PRINT_DEBUG(security_descriptor, psd); - } - - if (inherit_owner) { - /* We need to be root to force this. */ - become_root(); - } - status = SMB_VFS_FSET_NT_ACL(fsp, - security_info_sent, - psd); - if (inherit_owner) { - unbecome_root(); - } - return status; -} - -static NTSTATUS get_parent_acl_common(vfs_handle_struct *handle, - const char *path, - struct security_descriptor **pp_parent_desc) -{ - char *parent_name = NULL; - NTSTATUS status; - - if (!parent_dirname(talloc_tos(), path, &parent_name, NULL)) { - return NT_STATUS_NO_MEMORY; - } - - status = get_nt_acl_internal(handle, - NULL, - parent_name, - (SECINFO_OWNER | - SECINFO_GROUP | - SECINFO_DACL), - pp_parent_desc); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("get_parent_acl_common: get_nt_acl_internal " - "on directory %s for " - "path %s returned %s\n", - parent_name, - path, - nt_errstr(status) )); - } - return status; -} - /********************************************************************* Fetch a security descriptor given an fsp. *********************************************************************/ @@ -778,108 +658,6 @@ static int rmdir_acl_common(struct vfs_handle_struct *handle, true); } -static NTSTATUS create_file_acl_common(struct vfs_handle_struct *handle, - struct smb_request *req, - uint16_t root_dir_fid, - struct smb_filename *smb_fname, - uint32_t access_mask, - uint32_t share_access, - uint32_t create_disposition, - uint32_t create_options, - uint32_t file_attributes, - uint32_t oplock_request, - uint64_t allocation_size, - uint32_t private_flags, - struct security_descriptor *sd, - struct ea_list *ea_list, - files_struct **result, - int *pinfo) -{ - NTSTATUS status, status1; - files_struct *fsp = NULL; - int info; - struct security_descriptor *parent_sd = NULL; - - status = SMB_VFS_NEXT_CREATE_FILE(handle, - req, - root_dir_fid, - smb_fname, - access_mask, - share_access, - create_disposition, - create_options, - file_attributes, - oplock_request, - allocation_size, - private_flags, - sd, - ea_list, - result, - &info); - - if (!NT_STATUS_IS_OK(status)) { - goto out; - } - - if (info != FILE_WAS_CREATED) { - /* File/directory was opened, not created. */ - goto out; - } - - fsp = *result; - - if (fsp == NULL) { - /* Only handle success. */ - goto out; - } - - if (sd) { - /* Security descriptor already set. */ - goto out; - } - - if (fsp->base_fsp) { - /* Stream open. */ - goto out; - } - - status = get_parent_acl_common(handle, - fsp->fsp_name->base_name, - &parent_sd); - if (!NT_STATUS_IS_OK(status)) { - goto out; - } - - if (!parent_sd) { - goto err; - } - - /* New directory - inherit from parent. */ - status1 = inherit_new_acl(handle, fsp, parent_sd, fsp->is_directory); - - if (!NT_STATUS_IS_OK(status1)) { - DEBUG(1,("create_file_acl_common: error setting " - "sd for %s (%s)\n", - fsp_str_dbg(fsp), - nt_errstr(status1) )); - } - - out: - - TALLOC_FREE(parent_sd); - - if (NT_STATUS_IS_OK(status) && pinfo) { - *pinfo = info; - } - return status; - - err: - - smb_panic("create_file_acl_common: logic error.\n"); - /* NOTREACHED */ - return status; -} - static int unlink_acl_common(struct vfs_handle_struct *handle, const struct smb_filename *smb_fname) { diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c index 647d133d396..35b8ab70c73 100644 --- a/source3/modules/vfs_acl_tdb.c +++ b/source3/modules/vfs_acl_tdb.c @@ -401,7 +401,6 @@ static struct vfs_fn_pointers vfs_acl_tdb_fns = { .connect_fn = connect_acl_tdb, .disconnect = disconnect_acl_tdb, .rmdir = rmdir_acl_tdb, - .create_file = create_file_acl_common, .unlink = unlink_acl_tdb, .chmod = chmod_acl_module_common, .fchmod = fchmod_acl_module_common, diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index f1a2e897e70..25a3c54ef25 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -202,7 +202,6 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle, static struct vfs_fn_pointers vfs_acl_xattr_fns = { .connect_fn = connect_acl_xattr, .rmdir = rmdir_acl_common, - .create_file = create_file_acl_common, .unlink = unlink_acl_common, .chmod = chmod_acl_module_common, .fchmod = fchmod_acl_module_common,