s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL...

Since 4.0.x we add 2 additional ACE entries, one SMB_ACL_USER
and SMB_ACL_GROUP to match the existing SMB_ACL_USER_OBJ and
SMB_ACL_GROUP_OBJ entries. The two additional entries break
the simple "must have 3 entries" check done inside convert_canon_ace_to_posix_perms().
Replace this with a more complete test.

Problem and initial fix provided by <tcleamy@ucdavis.edu>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10489

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Thu Feb 11 11:14:53 CET 2016 on sn-devel-144

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 660c0e4e0d3a073a151005fdfc6804bfc55c9a7c..0c9c749db0e6a3cae4fd665c8f204d25acf5d657 100644 (file)
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3085,7 +3085,7 @@ static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file
        canon_ace *group_ace = NULL;
        canon_ace *other_ace = NULL;
 
-       if (ace_count != 3) {
+       if (ace_count > 5) {
                DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE "
                         "entries for file %s to convert to posix perms.\n",
                         fsp_str_dbg(fsp)));
@@ -3107,6 +3107,43 @@ static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file
                return False;
        }
 
+       /*
+        * Ensure all ACE entries are owner, group or other.
+        * We can't set if there are any other SIDs.
+        */
+       for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
+               if (ace_p == owner_ace || ace_p == group_ace ||
+                               ace_p == other_ace) {
+                       continue;
+               }
+               if (ace_p->owner_type == UID_ACE) {
+                       if (ace_p->unix_ug.id != owner_ace->unix_ug.id) {
+                               DEBUG(3,("Invalid uid %u in ACE for file %s.\n",
+                                       (unsigned int)ace_p->unix_ug.id,
+                                       fsp_str_dbg(fsp)));
+                               return false;
+                       }
+               } else if (ace_p->owner_type == GID_ACE) {
+                       if (ace_p->unix_ug.id != group_ace->unix_ug.id) {
+                               DEBUG(3,("Invalid gid %u in ACE for file %s.\n",
+                                       (unsigned int)ace_p->unix_ug.id,
+                                       fsp_str_dbg(fsp)));
+                               return false;
+                       }
+               } else {
+                       /*
+                        * There should be no duplicate WORLD_ACE entries.
+                        */
+
+                       DEBUG(3,("Invalid type %u, uid %u in "
+                               "ACE for file %s.\n",
+                               (unsigned int)ace_p->owner_type,
+                               (unsigned int)ace_p->unix_ug.id,
+                               fsp_str_dbg(fsp)));
+                       return false;
+               }
+       }
+
        *posix_perms = (mode_t)0;
 
        *posix_perms |= owner_ace->perms;