Another fix needed for bug #9236 - ACL masks incorrectly applied when setting ACLs.

Not caught by make test as it's an extreme edge case for strange
incoming ACLs. I only found this as I'm making raw.acls and smb2.acls
pass against 3.6.x with acl_xattr mapped onto a POSIX backend (which
isn't tested in make test).

An incoming inheritable ACE entry containing only one permission,
WRITE_DATA maps into a POSIX owner perm of "-w-", which violates
the principle that the owner of a file/directory can always read.
(cherry picked from commit 92292ac55144521824610a5d4b09f8dc1ff19a8a)

1 files changed, 10 insertions, 4 deletions

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 646efa4b69c..65a77d4e574 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1359,7 +1359,11 @@ static bool ensure_canon_entry_valid(canon_ace **pp_ace,
 	for (pace = *pp_ace; pace; pace = pace->next) {
 		if (pace->type == SMB_ACL_USER_OBJ) {
 
-			if (setting_acl && !is_default_acl) {
+			if (setting_acl) {
+				/*
+				 * Ensure we have default parameters for the
+				 * user (owner) even on default ACLs.
+				 */
 				apply_default_perms(params, is_directory, pace, S_IRUSR);
 			}
 			got_user = True;
@@ -1439,9 +1443,11 @@ static bool ensure_canon_entry_valid(canon_ace **pp_ace,
 					pace->perms = pace_other->perms;
 			}
 
-			if (!is_default_acl) {
-				apply_default_perms(params, is_directory, pace, S_IRUSR);
-			}
+			/*
+			 * Ensure we have default parameters for the
+			 * user (owner) even on default ACLs.
+			 */
+			apply_default_perms(params, is_directory, pace, S_IRUSR);
 		} else {
 			pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
 		}