Part 5 of bugfix for bug #7509 - smb_acl_to_posix: ACL is invalid for set (Invalid...

Be smarter about setting default permissions when a ACL_GROUP_OBJ isn't given. Use the
principle of least surprises for the user.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Sep  3 00:16:05 CEST 2011 on sn-devel-104

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 0be7bec47fd536d053e4f3debd4073b1f739feb6..0d0b5da630dee3f5fef8b5a8b9b75c430de2a879 100644 (file)
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1457,12 +1457,29 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
                pace->unix_ug.uid = pst->st_ex_gid;
                pace->trustee = *pfile_grp_sid;
                pace->attr = ALLOW_ACE;
+               /* Start with existing permissions, principle of least
+                  surprises for the user. */
+               pace->perms = pst->st_ex_mode;
+
                if (setting_acl) {
+                       /* See if there's a matching group entry.
+                          If so, OR in the permissions from that entry. */
+
+                       canon_ace *pace_iter;
+
+                       for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
+                               if (pace_iter->type == SMB_ACL_GROUP &&
+                                                       pace_iter->unix_ug.gid == pace->unix_ug.gid) {
+                                       pace->perms |= pace_iter->perms;
+                                       break;
+                               }
+                       }
+
                        /* If we only got an "everyone" perm, just use that. */
-                       if (got_other)
-                               pace->perms = pace_other->perms;
-                       else
-                               pace->perms = 0;
+                       if (pace->perms == 0) {
+                               if (got_other)
+                                       pace->perms = pace_other->perms;
+                       }
                        apply_default_perms(params, is_directory, pace, S_IRGRP);
                } else {
                        pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);