diff options
| author | Jeremy Allison <jra@samba.org> | 2016-02-09 12:47:43 -0800 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2016-02-15 11:24:24 +0100 |
| commit | 4526ba628ed7ee2bbd6751fb0155efff0b970dba (patch) | |
| tree | cef2e94858c4b0617b8c6fc32106228df5cb6cd6 | |
| parent | ebb7d6602bd4c8f86e8d47e0581160f6d900ede9 (diff) | |
| download | samba-4526ba628ed7ee2bbd6751fb0155efff0b970dba.tar.gz | |
s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support.
Since 4.0.x we add 2 additional ACE entries, one SMB_ACL_USER
and SMB_ACL_GROUP to match the existing SMB_ACL_USER_OBJ and
SMB_ACL_GROUP_OBJ entries. The two additional entries break
the simple "must have 3 entries" check done inside convert_canon_ace_to_posix_perms().
Replace this with a more complete test.
Problem and initial fix provided by <tcleamy@ucdavis.edu>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10489
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Thu Feb 11 11:14:53 CET 2016 on sn-devel-144
(cherry picked from commit 5172bf0c5b0672c1479c2ad776460956aa469bca)
| -rw-r--r-- | source3/smbd/posix_acls.c | 39 |
1 files changed, 38 insertions, 1 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index b69e5b49231..80d4feaec42 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3085,7 +3085,7 @@ static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file canon_ace *group_ace = NULL; canon_ace *other_ace = NULL; - if (ace_count != 3) { + if (ace_count > 5) { DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE " "entries for file %s to convert to posix perms.\n", fsp_str_dbg(fsp))); @@ -3107,6 +3107,43 @@ static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file return False; } + /* + * Ensure all ACE entries are owner, group or other. + * We can't set if there are any other SIDs. + */ + for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) { + if (ace_p == owner_ace || ace_p == group_ace || + ace_p == other_ace) { + continue; + } + if (ace_p->owner_type == UID_ACE) { + if (ace_p->unix_ug.id != owner_ace->unix_ug.id) { + DEBUG(3,("Invalid uid %u in ACE for file %s.\n", + (unsigned int)ace_p->unix_ug.id, + fsp_str_dbg(fsp))); + return false; + } + } else if (ace_p->owner_type == GID_ACE) { + if (ace_p->unix_ug.id != group_ace->unix_ug.id) { + DEBUG(3,("Invalid gid %u in ACE for file %s.\n", + (unsigned int)ace_p->unix_ug.id, + fsp_str_dbg(fsp))); + return false; + } + } else { + /* + * There should be no duplicate WORLD_ACE entries. + */ + + DEBUG(3,("Invalid type %u, uid %u in " + "ACE for file %s.\n", + (unsigned int)ace_p->owner_type, + (unsigned int)ace_p->unix_ug.id, + fsp_str_dbg(fsp))); + return false; + } + } + *posix_perms = (mode_t)0; *posix_perms |= owner_ace->perms; |