When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER and SMB_A...

[metze/samba/wip.git] / source3 / smbd / posix_acls.c

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 125234cdfad4a6cb502462278a47b3f03c3f42e8..b00f1ec1bcfec482022951305856641dab5b3dbc 100644 (file)
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1395,6 +1395,16 @@ static bool ensure_canon_entry_valid(connection_struct *conn,
                                apply_default_perms(params, is_directory, pace, S_IROTH);
                        }
                        pace_other = pace;
+
+               } else if (pace->type == SMB_ACL_USER || pace->type == SMB_ACL_GROUP) {
+
+                       /*
+                        * Ensure create mask/force create mode is respected on set.
+                        */
+
+                       if (setting_acl && !is_default_acl) {
+                               apply_default_perms(params, is_directory, pace, S_IRGRP);
+                       }
                }
        }