Revert "Ensure the masks don't conflict with the ACL checks."

This reverts commit 78594909b8b22bd07978922b1c85dfd6f6456963 which was
needed by 7622aa16adeb00bf161a6dd07664c37125391272.

This change masked bug #9462 which was fixed by
2013bb9b4dbed747921df2591068e2765428f57d.  The issue was that the
defaults for the substituted parameters did not match the old
parameter.  Changing the values in our test suite hid the issue, but
did not fix the issue.

(Additional change in the revert is to correct the expected ACL value
in posixacl.py due to changed implied inherited permissions).

Andrew Bartlett

Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Mar 11 19:46:24 CET 2013 on sn-devel-104
(cherry picked from commit 58e385a5ac37c072a4eef3baa7926b799a732e94)

The last 3 patches address bug #Bug 9709 - CVE-2013-1863; Remove forced set of
'create mask' to 0777.

CVE-2013-1863: World-writeable files may be created in additional shares on a
Samba 4.0 AD DC.

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 6c634135f54a43595f245081f05d6d9af67b390d..70304fe0060ebed3061ac2e206260334b0247020 100755 (executable)
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -897,8 +897,7 @@ sub provision($$$$$$)
        map system = no
        map readonly = no
        store dos attributes = yes
-       create mask = 0777
-       directory mask = 0777
+       create mask = 755
        dos filemode = yes
        vfs objects = $vfs_modulesdir_abs/acl_xattr.so $vfs_modulesdir_abs/fake_acls.so $vfs_modulesdir_abs/xattr_tdb.so $vfs_modulesdir_abs/streams_depot.so
 

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 5f1c907b79a0c0a9cc32a40d3321a72b561b6da7..d17a37c3d6b4f8765ab24822c3cde1ece6ec3a88 100644 (file)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1387,8 +1387,7 @@ sub provision_plugin_s4_dc($$)
 
        smbd:sharedelay = 100000
        smbd:writetimeupdatedelay = 500000
-       create mask = 0777
-       directory mask = 0777
+       create mask = 755
        dos filemode = yes
 
         dcerpc endpoint servers = -winreg -srvsvc

diff --git a/source4/scripting/python/samba/tests/posixacl.py b/source4/scripting/python/samba/tests/posixacl.py
index 652721f4f107979e36f18dc8489c79376c6015e7..6a234e4aafe60959db17236431b6bb32d54fe3ed 100644 (file)
--- a/source4/scripting/python/samba/tests/posixacl.py
+++ b/source4/scripting/python/samba/tests/posixacl.py
@@ -210,7 +210,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
         smbd.chown(self.tempdir, BA_id, SO_id)
         smbd.set_simple_acl(self.tempdir, 0750)
         facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
-        acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;OICIIO;0x001f01ff;;;WD)"
+        acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)"
 
         anysid = security.dom_sid(security.SID_NT_SELF)
         self.assertEquals(acl, facl.as_sddl(anysid))