s3: vfs_fruit. Ensure we only return one set of the 'virtual' UNIX ACE entries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index ec76f718c377c2272484651b905c6f952490bb1c..50fbd6cb4470d31655d91ca0a8ef11520f74058d 100644 (file)
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -5687,6 +5687,7 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
        struct security_ace ace;
        struct dom_sid sid;
        struct fruit_config_data *config;
+       bool remove_ok = false;
 
        SMB_VFS_HANDLE_GET_DATA(handle, config,
                                struct fruit_config_data,
@@ -5711,6 +5712,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
        /* MS NFS style mode */
        sid_compose(&sid, &global_sid_Unix_NFS_Mode, fsp->fsp_name->st.st_ex_mode);
        init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
+
+       /* First remove any existing ACE's with this SID. */
+       status = security_descriptor_dacl_del(*ppdesc, &sid);
+       remove_ok = (NT_STATUS_IS_OK(status) ||
+                    NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
+       if (!remove_ok) {
+               DBG_WARNING("failed to remove MS NFS_mode style ACE\n");
+               return status;
+       }
        status = security_descriptor_dacl_add(*ppdesc, &ace);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1,("failed to add MS NFS style ACE\n"));
@@ -5720,6 +5730,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
        /* MS NFS style uid */
        sid_compose(&sid, &global_sid_Unix_NFS_Users, fsp->fsp_name->st.st_ex_uid);
        init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
+
+       /* First remove any existing ACE's with this SID. */
+       status = security_descriptor_dacl_del(*ppdesc, &sid);
+       remove_ok = (NT_STATUS_IS_OK(status) ||
+                    NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
+       if (!remove_ok) {
+               DBG_WARNING("failed to remove MS NFS_users style ACE\n");
+               return status;
+       }
        status = security_descriptor_dacl_add(*ppdesc, &ace);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1,("failed to add MS NFS style ACE\n"));
@@ -5729,6 +5748,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
        /* MS NFS style gid */
        sid_compose(&sid, &global_sid_Unix_NFS_Groups, fsp->fsp_name->st.st_ex_gid);
        init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
+
+       /* First remove any existing ACE's with this SID. */
+       status = security_descriptor_dacl_del(*ppdesc, &sid);
+       remove_ok = (NT_STATUS_IS_OK(status) ||
+                    NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
+       if (!remove_ok) {
+               DBG_WARNING("failed to remove MS NFS_groups style ACE\n");
+               return status;
+       }
        status = security_descriptor_dacl_add(*ppdesc, &ace);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1,("failed to add MS NFS style ACE\n"));