s3: Add a zfsacl:denymissingspecial parameter

When setting an ACL without any of the user/group/other entries, ZFS
automatically creates them. This can at times confuse users a lot. This
parameter denies setting such an acl, users explicitly have to for example set
an ACE with everyone allowing nothing. Users need to be educated about this,
but this helps avoid a lot of confusion.

diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c
index 312160c0267e62489aae61ac81c16b708d253989..a3de30e8085a3c65d50c7320472ebd9bf54810ab 100644 (file)
--- a/source3/modules/vfs_zfsacl.c
+++ b/source3/modules/vfs_zfsacl.c
@@ -106,6 +106,7 @@ static bool zfs_process_smbacl(files_struct *fsp, SMB4ACL_T *smbacl)
        ace_t *acebuf;
        SMB4ACE_T *smbace;
        TALLOC_CTX      *mem_ctx;
+       bool have_special_id = false;
 
        /* allocate the field of ZFS aces */
        mem_ctx = talloc_tos();
@@ -140,8 +141,17 @@ static bool zfs_process_smbacl(files_struct *fsp, SMB4ACL_T *smbacl)
                                        aceprop->who.special_id));
                                continue; /* don't add it !!! */
                        }
+                       have_special_id = true;
                }
        }
+
+       if (!have_special_id
+           && lp_parm_bool(fsp->conn->params->service, "zfsacl",
+                           "denymissingspecial", false)) {
+               errno = EACCES;
+               return false;
+       }
+
        SMB_ASSERT(i == naces);
 
        /* store acl */