diff options
| author | Jeremy Allison <jra@samba.org> | 2012-10-02 13:01:59 -0700 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2012-11-01 09:10:36 +0100 |
| commit | 12198746841f2ca5a6614148625957f27c79cb85 (patch) | |
| tree | 2d0f042bea43652ed879ac525cf4d06d907ab0ce | |
| parent | c9b858347a025a48ef5bee1eefc21be58ce81d98 (diff) | |
| download | samba-12198746841f2ca5a6614148625957f27c79cb85.tar.gz | |
Only apply masks on non-default ACL entries when setting the ACL.
(cherry picked from commit 580f61622c449aee8420e3519e764706d11c20fc)
| -rw-r--r-- | source3/smbd/posix_acls.c | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 338ee6cfcaa..f7258bd66d7 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -1342,6 +1342,7 @@ static bool uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace ) ****************************************************************************/ static bool ensure_canon_entry_valid(canon_ace **pp_ace, + bool is_default_acl, const struct share_params *params, const bool is_directory, const DOM_SID *pfile_owner_sid, @@ -1358,8 +1359,9 @@ static bool ensure_canon_entry_valid(canon_ace **pp_ace, for (pace = *pp_ace; pace; pace = pace->next) { if (pace->type == SMB_ACL_USER_OBJ) { - if (setting_acl) + if (setting_acl && !is_default_acl) { apply_default_perms(params, is_directory, pace, S_IRUSR); + } got_user = True; } else if (pace->type == SMB_ACL_GROUP_OBJ) { @@ -1368,8 +1370,9 @@ static bool ensure_canon_entry_valid(canon_ace **pp_ace, * Ensure create mask/force create mode is respected on set. */ - if (setting_acl) + if (setting_acl && !is_default_acl) { apply_default_perms(params, is_directory, pace, S_IRGRP); + } got_grp = True; } else if (pace->type == SMB_ACL_OTHER) { @@ -1378,8 +1381,9 @@ static bool ensure_canon_entry_valid(canon_ace **pp_ace, * Ensure create mask/force create mode is respected on set. */ - if (setting_acl) + if (setting_acl && !is_default_acl) { apply_default_perms(params, is_directory, pace, S_IROTH); + } got_other = True; pace_other = pace; } @@ -1425,7 +1429,9 @@ static bool ensure_canon_entry_valid(canon_ace **pp_ace, pace->perms = pace_other->perms; } - apply_default_perms(params, is_directory, pace, S_IRUSR); + if (!is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IRUSR); + } } else { pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR); } @@ -1451,7 +1457,9 @@ static bool ensure_canon_entry_valid(canon_ace **pp_ace, pace->perms = pace_other->perms; else pace->perms = 0; - apply_default_perms(params, is_directory, pace, S_IRGRP); + if (!is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IRGRP); + } } else { pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP); } @@ -1473,7 +1481,9 @@ static bool ensure_canon_entry_valid(canon_ace **pp_ace, pace->attr = ALLOW_ACE; if (setting_acl) { pace->perms = 0; - apply_default_perms(params, is_directory, pace, S_IROTH); + if (!is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IROTH); + } } else pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH); @@ -2318,7 +2328,7 @@ static bool unpack_canon_ace(files_struct *fsp, print_canon_ace_list( "file ace - before valid", file_ace); - if (!ensure_canon_entry_valid(&file_ace, fsp->conn->params, + if (!ensure_canon_entry_valid(&file_ace, false, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { free_canon_ace_list(file_ace); free_canon_ace_list(dir_ace); @@ -2327,7 +2337,7 @@ static bool unpack_canon_ace(files_struct *fsp, print_canon_ace_list( "dir ace - before valid", dir_ace); - if (dir_ace && !ensure_canon_entry_valid(&dir_ace, fsp->conn->params, + if (dir_ace && !ensure_canon_entry_valid(&dir_ace, true, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { free_canon_ace_list(file_ace); free_canon_ace_list(dir_ace); @@ -2513,7 +2523,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, * This next call will ensure we have at least a user/group/world set. */ - if (!ensure_canon_entry_valid(&l_head, conn->params, + if (!ensure_canon_entry_valid(&l_head, is_default_acl, conn->params, S_ISDIR(psbuf->st_ex_mode), powner, pgroup, psbuf, False)) goto fail; |