git.samba.org
/
samba.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
9647be9
)
Only apply masks on non-default ACL entries when setting the ACL.
author
Jeremy Allison
<jra@samba.org>
Tue, 2 Oct 2012 20:01:59 +0000
(13:01 -0700)
committer
Karolin Seeger
<kseeger@samba.org>
Fri, 5 Oct 2012 07:50:49 +0000
(09:50 +0200)
source3/smbd/posix_acls.c
patch
|
blob
|
history
diff --git
a/source3/smbd/posix_acls.c
b/source3/smbd/posix_acls.c
index 338ee6cfcaaf803afcd198117834c72ec3fce500..f7258bd66d779938101183bd92ead522d2b05f0a 100644
(file)
--- a/
source3/smbd/posix_acls.c
+++ b/
source3/smbd/posix_acls.c
@@
-1342,6
+1342,7
@@
static bool uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace )
****************************************************************************/
static bool ensure_canon_entry_valid(canon_ace **pp_ace,
****************************************************************************/
static bool ensure_canon_entry_valid(canon_ace **pp_ace,
+ bool is_default_acl,
const struct share_params *params,
const bool is_directory,
const DOM_SID *pfile_owner_sid,
const struct share_params *params,
const bool is_directory,
const DOM_SID *pfile_owner_sid,
@@
-1358,8
+1359,9
@@
static bool ensure_canon_entry_valid(canon_ace **pp_ace,
for (pace = *pp_ace; pace; pace = pace->next) {
if (pace->type == SMB_ACL_USER_OBJ) {
for (pace = *pp_ace; pace; pace = pace->next) {
if (pace->type == SMB_ACL_USER_OBJ) {
- if (setting_acl
)
+ if (setting_acl
&& !is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IRUSR);
apply_default_perms(params, is_directory, pace, S_IRUSR);
+ }
got_user = True;
} else if (pace->type == SMB_ACL_GROUP_OBJ) {
got_user = True;
} else if (pace->type == SMB_ACL_GROUP_OBJ) {
@@
-1368,8
+1370,9
@@
static bool ensure_canon_entry_valid(canon_ace **pp_ace,
* Ensure create mask/force create mode is respected on set.
*/
* Ensure create mask/force create mode is respected on set.
*/
- if (setting_acl
)
+ if (setting_acl
&& !is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IRGRP);
apply_default_perms(params, is_directory, pace, S_IRGRP);
+ }
got_grp = True;
} else if (pace->type == SMB_ACL_OTHER) {
got_grp = True;
} else if (pace->type == SMB_ACL_OTHER) {
@@
-1378,8
+1381,9
@@
static bool ensure_canon_entry_valid(canon_ace **pp_ace,
* Ensure create mask/force create mode is respected on set.
*/
* Ensure create mask/force create mode is respected on set.
*/
- if (setting_acl
)
+ if (setting_acl
&& !is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IROTH);
apply_default_perms(params, is_directory, pace, S_IROTH);
+ }
got_other = True;
pace_other = pace;
}
got_other = True;
pace_other = pace;
}
@@
-1425,7
+1429,9
@@
static bool ensure_canon_entry_valid(canon_ace **pp_ace,
pace->perms = pace_other->perms;
}
pace->perms = pace_other->perms;
}
- apply_default_perms(params, is_directory, pace, S_IRUSR);
+ if (!is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IRUSR);
+ }
} else {
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
}
} else {
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
}
@@
-1451,7
+1457,9
@@
static bool ensure_canon_entry_valid(canon_ace **pp_ace,
pace->perms = pace_other->perms;
else
pace->perms = 0;
pace->perms = pace_other->perms;
else
pace->perms = 0;
- apply_default_perms(params, is_directory, pace, S_IRGRP);
+ if (!is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IRGRP);
+ }
} else {
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
}
} else {
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
}
@@
-1473,7
+1481,9
@@
static bool ensure_canon_entry_valid(canon_ace **pp_ace,
pace->attr = ALLOW_ACE;
if (setting_acl) {
pace->perms = 0;
pace->attr = ALLOW_ACE;
if (setting_acl) {
pace->perms = 0;
- apply_default_perms(params, is_directory, pace, S_IROTH);
+ if (!is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IROTH);
+ }
} else
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
} else
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
@@
-2318,7
+2328,7
@@
static bool unpack_canon_ace(files_struct *fsp,
print_canon_ace_list( "file ace - before valid", file_ace);
print_canon_ace_list( "file ace - before valid", file_ace);
- if (!ensure_canon_entry_valid(&file_ace, fsp->conn->params,
+ if (!ensure_canon_entry_valid(&file_ace, f
alse, f
sp->conn->params,
fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
@@
-2327,7
+2337,7
@@
static bool unpack_canon_ace(files_struct *fsp,
print_canon_ace_list( "dir ace - before valid", dir_ace);
print_canon_ace_list( "dir ace - before valid", dir_ace);
- if (dir_ace && !ensure_canon_entry_valid(&dir_ace, fsp->conn->params,
+ if (dir_ace && !ensure_canon_entry_valid(&dir_ace,
true,
fsp->conn->params,
fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
@@
-2513,7
+2523,7
@@
static canon_ace *canonicalise_acl(struct connection_struct *conn,
* This next call will ensure we have at least a user/group/world set.
*/
* This next call will ensure we have at least a user/group/world set.
*/
- if (!ensure_canon_entry_valid(&l_head, conn->params,
+ if (!ensure_canon_entry_valid(&l_head,
is_default_acl,
conn->params,
S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
psbuf, False))
goto fail;
S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
psbuf, False))
goto fail;