do not merge ACEs with different SMB_ACE4_INHERIT_ONLY_ACE flag, this leads to wrong...

user:10000036:rwxc:allow:FileInherit:DirInherit:InheritOnly
 (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (X)DELETE    (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:10000005:rwxc:allow
 (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (X)DELETE    (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:10000005:rwxc:allow:FileInherit:DirInherit:InheritOnly
 (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (X)DELETE    (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

would be merged to

user:10000036:rwxc:allow:FileInherit:DirInherit:InheritOnly
 (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (X)DELETE    (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:10000005:rwxc:allow:FileInherit:DirInherit:InheritOnly
 (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (X)DELETE    (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

so the explicit right for the user on the parent directory will be gone (the InheritOnly flag only accounts to subdirectories)
thus leaving the user without access to the directory itself

Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
(cherry picked from commit 5e7da42f6ea768a1e2eeeb15b8b2c41cdfcac94f)

Signed-off-by: Michael Adam <obnox@samba.org>

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index e6f972de330b59c74b17db5eb8406229cfb767c9..f045f696284797d556c8b2607d9600234c4210c9 100644 (file)
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -439,8 +439,15 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special(
        for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) {
                SMB_ACE4PROP_T *ace = &aceint->prop;
 
+                DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x "
+                         "new type:0x%x flags:0x%x aceFlags:0x%x\n",
+                         ace->aceType, ace->flags, ace->aceFlags,
+                         aceNew->aceType, aceNew->flags,aceNew->aceFlags));
+
                if (ace->flags == aceNew->flags &&
                        ace->aceType==aceNew->aceType &&
+                       ((ace->aceFlags&SMB_ACE4_INHERIT_ONLY_ACE)==
+                        (aceNew->aceFlags&SMB_ACE4_INHERIT_ONLY_ACE)) &&
                        (ace->aceFlags&SMB_ACE4_IDENTIFIER_GROUP)==
                        (aceNew->aceFlags&SMB_ACE4_IDENTIFIER_GROUP)
                ) {