Another attempt to fix bug #4308 - Excel save operation corrupts file ACLs.

Simo is completely correct. We should be doing the chown *first*, and fail the
ACL set if this fails. The long standing assumption I made when writing the
initial POSIX ACL code was that Windows didn't control who could chown a file
in the same was as POSIX. In POSIX only root can do this whereas I wasn't sure
who could do this in Windows at the time (I didn't understand the privilege
model). So the assumption was that setting the ACL was more important (early
tests showed many failed ACL set's due to inability to chown). But now we have
privileges in smbd, and we must always fail an ACL set when we can't chown
first. The key that Simo noticed is that the CREATOR_OWNER bits in the ACL
incoming are relative to the *new* owner, not the old one. This is why the old
user owner disappears on ACL set - their access was set via the USER_OBJ in the
creator POSIX ACL and when the ownership changes they lose their access.

Patch is simple - just ensure we do the chown first before evaluating the
incoming ACL re-read the owners. We already have code to do this it just wasn't
rigorously being applied.
Jeremy.
(cherry picked from commit 9a95b6cac2dea88cb9e9b428292dfca9d1e3e801)

diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c
index 488646783d99a2f438a6613bef4d6818f6302e96..16572509ad3c8201851933ee74cd273b08a5df00 100644 (file)
--- a/source/smbd/posix_acls.c
+++ b/source/smbd/posix_acls.c
@@ -3340,7 +3340,6 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
        mode_t orig_mode = (mode_t)0;
        uid_t orig_uid;
        gid_t orig_gid;
-       BOOL need_chown = False;
 
        DEBUG(10,("set_nt_acl: called for file %s\n", fsp->fsp_name ));
 
@@ -3379,16 +3378,6 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
         */
 
        if (((user != (uid_t)-1) && (orig_uid != user)) || (( grp != (gid_t)-1) && (orig_gid != grp))) {
-               need_chown = True;
-       }
-
-       /*
-        * Chown before setting ACL only if we don't change the user, or
-        * if we change to the current user, but not if we want to give away
-        * the file.
-        */
-
-       if (need_chown && (user == (uid_t)-1 || user == current_user.ut.uid)) {
 
                DEBUG(3,("set_nt_acl: chown %s. uid = %u, gid = %u.\n",
                                fsp->fsp_name, (unsigned int)user, (unsigned int)grp ));
@@ -3425,9 +3414,6 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
                orig_mode = sbuf.st_mode;
                orig_uid = sbuf.st_uid;
                orig_gid = sbuf.st_gid;
-
-               /* We did it, don't try again */
-               need_chown = False;
        }
 
        create_file_sids(&sbuf, &file_owner_sid, &file_grp_sid);
@@ -3579,19 +3565,6 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
                free_canon_ace_list(dir_ace_list); 
        }
 
-       /* Any chown pending? */
-       if (need_chown) {
-
-               DEBUG(3,("set_nt_acl: chown %s. uid = %u, gid = %u.\n",
-                       fsp->fsp_name, (unsigned int)user, (unsigned int)grp ));
-
-               if(try_chown( fsp->conn, fsp->fsp_name, user, grp) == -1) {
-                       DEBUG(3,("set_nt_acl: chown %s, %u, %u failed. Error = %s.\n",
-                               fsp->fsp_name, (unsigned int)user, (unsigned int)grp, strerror(errno) ));
-                       return False;
-               }
-       }
-
        return True;
 }