From: Volker Lendecke <vlendec@samba.org>
Date: Thu, 1 Jul 2004 14:49:44 +0000 (+0000)
Subject: r1314: Restore the 2.2 'force unknown acl user' parameter. When getting a security
X-Git-Tag: samba-misc-tags/initial-v3-0-unstable~6010
X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=80e57d27909a9a1edad962e3f43c2178d2da2a92;p=samba.git

r1314: Restore the 2.2 'force unknown acl user' parameter. When getting a security
descriptor for a file, if the owner sid is not known, the owner uid is set to
the current uid. Same for group sid.

This makes xcopy /o possible for files that are owned by local users/groups
(local administrators for example).

Thanks to Guenther for his persistence :-)

Volker
---

diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index c43edd5eda7..b4686d56ea2 100644
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -413,6 +413,7 @@ typedef struct
 	BOOL bUseClientDriver;
 	BOOL bDefaultDevmode;
 	BOOL bNTAclSupport;
+	BOOL bForceUnknownAclUser;
 	BOOL bUseSendfile;
 	BOOL bProfileAcls;
 	BOOL bMap_acl_inherit;
@@ -536,6 +537,7 @@ static service sDefault = {
 	False,			/* bUseClientDriver */
 	False,			/* bDefaultDevmode */
 	True,			/* bNTAclSupport */
+	False,                  /* bForceUnknownAclUser */
 	True,			/* bUseSendfile */
 	False,			/* bProfileAcls */
 	False,			/* bMap_acl_inherit */
@@ -849,6 +851,7 @@ static struct parm_struct parm_table[] = {
 	{"force directory mode", P_OCTAL, P_LOCAL, &sDefault.iDir_force_mode, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, 
 	{"directory security mask", P_OCTAL, P_LOCAL, &sDefault.iDir_Security_mask, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, 
 	{"force directory security mode", P_OCTAL, P_LOCAL, &sDefault.iDir_Security_force_mode, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, 
+	{"force unknown acl user", P_BOOL, P_LOCAL, &sDefault.bForceUnknownAclUser, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
 	{"inherit permissions", P_BOOL, P_LOCAL, &sDefault.bInheritPerms, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE}, 
 	{"inherit acls", P_BOOL, P_LOCAL, &sDefault.bInheritACLS, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE}, 
 	{"guest only", P_BOOL, P_LOCAL, &sDefault.bGuest_only, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE}, 
@@ -1893,6 +1896,7 @@ FN_LOCAL_BOOL(lp_inherit_acls, bInheritACLS)
 FN_LOCAL_BOOL(lp_use_client_driver, bUseClientDriver)
 FN_LOCAL_BOOL(lp_default_devmode, bDefaultDevmode)
 FN_LOCAL_BOOL(lp_nt_acl_support, bNTAclSupport)
+FN_LOCAL_BOOL(lp_force_unknown_acl_user, bForceUnknownAclUser)
 FN_LOCAL_BOOL(lp_ea_support, bEASupport)
 FN_LOCAL_BOOL(_lp_use_sendfile, bUseSendfile)
 FN_LOCAL_BOOL(lp_profile_acls, bProfileAcls)
diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c
index 584164e9309..2d9591e6baa 100644
--- a/source/smbd/posix_acls.c
+++ b/source/smbd/posix_acls.c
@@ -880,7 +880,7 @@ static mode_t map_nt_perms( SEC_ACCESS sec_access, int type)
  Unpack a SEC_DESC into a UNIX owner and group.
 ****************************************************************************/
 
-static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd)
+static BOOL unpack_nt_owners(int snum, SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd)
 {
 	DOM_SID owner_sid;
 	DOM_SID grp_sid;
@@ -910,15 +910,17 @@ static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp,
 	if (security_info_sent & OWNER_SECURITY_INFORMATION) {
 		sid_copy(&owner_sid, psd->owner_sid);
 		if (!NT_STATUS_IS_OK(sid_to_uid(&owner_sid, puser))) {
-#if ACL_FORCE_UNMAPPABLE
-			/* this allows take ownership to work reasonably */
-			extern struct current_user current_user;
-			*puser = current_user.uid;
-#else
-			DEBUG(3,("unpack_nt_owners: unable to validate owner sid for %s\n",
-				 sid_string_static(&owner_sid)));
-			return False;
-#endif
+			if (lp_force_unknown_acl_user(snum)) {
+				/* this allows take ownership to work
+				 * reasonably */
+				extern struct current_user current_user;
+				*puser = current_user.uid;
+			} else {
+				DEBUG(3,("unpack_nt_owners: unable to validate"
+					 " owner sid for %s\n",
+					 sid_string_static(&owner_sid)));
+				return False;
+			}
 		}
  	}
 
@@ -930,14 +932,16 @@ static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp,
 	if (security_info_sent & GROUP_SECURITY_INFORMATION) {
 		sid_copy(&grp_sid, psd->grp_sid);
 		if (!NT_STATUS_IS_OK(sid_to_gid( &grp_sid, pgrp))) {
-#if ACL_FORCE_UNMAPPABLE
-			/* this allows take group ownership to work reasonably */
-			extern struct current_user current_user;
-			*pgrp = current_user.gid;
-#else
-			DEBUG(3,("unpack_nt_owners: unable to validate group sid.\n"));
-			return False;
-#endif
+			if (lp_force_unknown_acl_user(snum)) {
+				/* this allows take group ownership to work
+				 * reasonably */
+				extern struct current_user current_user;
+				*pgrp = current_user.gid;
+			} else {
+				DEBUG(3,("unpack_nt_owners: unable to validate"
+					 " group sid.\n"));
+				return False;
+			}
 		}
 	}
 
@@ -3005,7 +3009,7 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
 	 * Unpack the user/group/world id's.
 	 */
 
-	if (!unpack_nt_owners( &sbuf, &user, &grp, security_info_sent, psd))
+	if (!unpack_nt_owners( SNUM(conn), &sbuf, &user, &grp, security_info_sent, psd))
 		return False;
 
 	/*