From: Jeremy Allison Date: Thu, 3 Jul 2008 17:28:36 +0000 (-0700) Subject: Patch from SATOH Fumiyasu for bug #5202. Re-activate "acl... X-Git-Tag: samba-3.0.31~7 X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=fbb1e2e358af892e121bb3e5e8587d4d5ace4132;p=samba.git Patch from SATOH Fumiyasu for bug #5202. Re-activate "acl group control" parameter and make it only apply to owning group. Also added man page fix. Jeremy. --- diff --git a/docs-xml/smbdotconf/misc/dosfilemode.xml b/docs-xml/smbdotconf/misc/dosfilemode.xml index ae3b475107b..e67ccd935a5 100644 --- a/docs-xml/smbdotconf/misc/dosfilemode.xml +++ b/docs-xml/smbdotconf/misc/dosfilemode.xml @@ -3,15 +3,16 @@ type="boolean" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - The default behavior in Samba is to provide - UNIX-like behavior where only the owner of a file/directory is + The default behavior in Samba is to provide + UNIX-like behavior where only the owner of a file/directory is able to change the permissions on it. However, this behavior - is often confusing to DOS/Windows users. Enabling this parameter - allows a user who has write access to the file (by whatever - means) to modify the permissions (including ACL) on it. Note that a user - belonging to the group owning the file will not be allowed to - change permissions if the group is only granted read access. - Ownership of the file/directory may also be changed. + is often confusing to DOS/Windows users. Enabling this parameter + allows a user who has write access to the file (by whatever + means, including an ACL permission) to modify the permissions + (including ACL) on it. Note that a user belonging to the group + owning the file will not be allowed to change permissions if + the group is only granted read access. Ownership of the + file/directory may also be changed. no diff --git a/docs-xml/smbdotconf/security/aclgroupcontrol.xml b/docs-xml/smbdotconf/security/aclgroupcontrol.xml index e2600ca9da5..6efd46dd8dc 100644 --- a/docs-xml/smbdotconf/security/aclgroupcontrol.xml +++ b/docs-xml/smbdotconf/security/aclgroupcontrol.xml @@ -30,8 +30,10 @@ - This is parameter has been marked deprecated in Samba 3.0.23. The same behavior is now - implemented by the dos filemode option. + This is parameter has been was deprecated in Samba 3.0.23, but re-activated in + Samba 3.0.31 and above, as it now only controls permission changes if the user + is in the owning primary group. It is now no longer equivalent to the + dos filemode option. diff --git a/source/param/loadparm.c b/source/param/loadparm.c index 4f44088c8f6..85f021763f7 100644 --- a/source/param/loadparm.c +++ b/source/param/loadparm.c @@ -922,7 +922,7 @@ static struct parm_struct parm_table[] = { {"writable", P_BOOLREV, P_LOCAL, &sDefault.bRead_only, NULL, NULL, FLAG_HIDE}, {"acl check permissions", P_BOOL, P_LOCAL, &sDefault.bAclCheckPermissions, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, - {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE | FLAG_DEPRECATED }, + {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE }, {"acl map full control", P_BOOL, P_LOCAL, &sDefault.bAclMapFullControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, {"create mask", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, {"create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_HIDE}, diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index f40a344124e..9913d5aead6 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -2289,18 +2289,26 @@ static BOOL current_user_in_group(gid_t gid) } /**************************************************************************** - Should we override a deny ? Check deprecated 'acl group control' - and 'dos filemode' + Should we override a deny ? Check 'acl group control' and 'dos filemode' ****************************************************************************/ -static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid) +static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid, const char *fname) { - if ( (errno == EACCES || errno == EPERM) - && (lp_acl_group_control(SNUM(conn)) || lp_dos_filemode(SNUM(conn))) - && current_user_in_group(prim_gid)) - { + SMB_STRUCT_STAT sbuf; + + if ((errno != EPERM) && (errno != EACCES)) { + return False; + } + + /* file primary group == user primary or supplementary group */ + if (lp_acl_group_control(SNUM(conn)) && current_user_in_group(prim_gid)) { return True; - } + } + + /* user has writeable permission */ + if (lp_dos_filemode(SNUM(conn)) && can_write_to_file(conn, fname, &sbuf)) { + return True; + } return False; } @@ -2488,7 +2496,7 @@ static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL defau *pacl_set_support = False; } - if (acl_group_override(conn, prim_gid)) { + if (acl_group_override(conn, prim_gid, fsp->fsp_name)) { int sret; DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n", @@ -2519,7 +2527,7 @@ static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL defau *pacl_set_support = False; } - if (acl_group_override(conn, prim_gid)) { + if (acl_group_override(conn, prim_gid, fsp->fsp_name)) { int sret; DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n", @@ -3477,7 +3485,7 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name) == -1) { int sret = -1; - if (acl_group_override(conn, sbuf.st_gid)) { + if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) { DEBUG(5,("set_nt_acl: acl group control on and " "current user in file %s primary group. Override delete_def_acl\n", fsp->fsp_name )); @@ -3524,7 +3532,7 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) if(SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms) == -1) { int sret = -1; - if (acl_group_override(conn, sbuf.st_gid)) { + if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) { DEBUG(5,("set_nt_acl: acl group control on and " "current user in file %s primary group. Override chmod\n", fsp->fsp_name ));