This presents a potential security problem when ACLs contain DENY ACEs.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Jul 29 14:42:27 CEST 2013 on sn-devel-104
for (i=0; i < state->num_sids; i++) {
bool include_gid = false;
+ const char *debug_missing = NULL;
switch (xids[i].type) {
case ID_TYPE_NOT_SPECIFIED:
+ debug_missing = "not specified";
+ break;
case ID_TYPE_UID:
+ if (i != 0) {
+ debug_missing = "uid";
+ }
break;
case ID_TYPE_GID:
case ID_TYPE_BOTH:
}
if (!include_gid) {
+ if (debug_missing == NULL) {
+ continue;
+ }
+
+ DEBUG(10, ("WARNING: skipping unix id (%u) for sid %s "
+ "from group list because the idmap type "
+ "is %s. "
+ "This might be a security problem when ACLs "
+ "contain DENY ACEs!\n",
+ (unsigned)xids[i].id,
+ sid_string_tos(&state->sids[i]),
+ debug_missing));
continue;
}