From 5ff72827c3b74f28995b45250fe8efa79495e3b6 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 26 Nov 2014 18:01:37 +0100 Subject: [PATCH] s3:smbd: ignore dacls with MS NFS ACEs Ignore NFS ACEs in code the modifies * default POSIX ACLs * VFS: NFSv4 ACLs * VFS: xattr and tdb ACLs Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- source3/modules/nfs4_acls.c | 3 +++ source3/modules/vfs_acl_common.c | 9 +++++++++ source3/smbd/posix_acls.c | 10 ++++++++++ 3 files changed, 22 insertions(+) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index cf61af90c5f..1aa819a34f9 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -778,6 +778,9 @@ static bool smbacl4_fill_ace4( ace_v4->who.gid = gid; } else if (sid_to_uid(&ace_nt->trustee, &uid)) { ace_v4->who.uid = uid; + } else if (dom_sid_compare_domain(&ace_nt->trustee, + &global_sid_Unix_NFS) == 0) { + return false; } else { DEBUG(1, ("nfs4_acls.c: file [%s]: could not " "convert %s to uid or gid\n", diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index b749157ef3d..920c811de5e 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -775,6 +775,15 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp, psd->group_sid = orig_psd->group_sid; } if (security_info_sent & SECINFO_DACL) { + if (security_descriptor_with_ms_nfs(orig_psd)) { + /* + * If the sd contains a MS NFS SID, do + * nothing, it's a chmod() request from OS X + * with AAPL context. + */ + TALLOC_FREE(frame); + return NT_STATUS_OK; + } psd->dacl = orig_psd->dacl; psd->type |= SEC_DESC_DACL_PRESENT; } diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 126b822439a..6a5ec859884 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3666,6 +3666,16 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct s return NT_STATUS_INVALID_PARAMETER; } + /* + * MS NFS mode, here's the deal: the client merely wants to + * modify the mode, but roundtripping get_acl/set/acl would + * add additional POSIX ACEs. So in case we get a request + * containing a MS NFS mode SID, we do nothing here. + */ + if (security_descriptor_with_ms_nfs(psd_orig)) { + return NT_STATUS_OK; + } + psd = security_descriptor_copy(talloc_tos(), psd_orig); if (psd == NULL) { return NT_STATUS_NO_MEMORY; -- 2.34.1