diff options
| author | Jeremy Allison <jra@samba.org> | 2008-07-03 10:25:26 -0700 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2008-07-06 22:31:15 +0200 |
| commit | f130de5441160b53a0dceb5d102fe2783b067048 (patch) | |
| tree | 47ed16f86dd9923cd841f9b2a3908f54225c5307 /source/smbd/posix_acls.c | |
| parent | d30d79090e182f96ebcbe5f28d5c018341076569 (diff) | |
| download | samba-f130de5441160b53a0dceb5d102fe2783b067048.tar.gz | |
Patch from SATOH Fumiyasu <fumiyas@osstech.co.jp> for bug #5202. Re-activate "acl group control"
parameter and make it only apply to owning group. Also added man page fix.
Jeremy.
(cherry picked from commit 93e91e5364a7f131d988648cf5fe822a9bd68734)
Diffstat (limited to 'source/smbd/posix_acls.c')
| -rw-r--r-- | source/smbd/posix_acls.c | 40 |
1 files changed, 26 insertions, 14 deletions
diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index c3c9d2e60c4..86934f976bd 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -2364,20 +2364,32 @@ static bool current_user_in_group(gid_t gid) } /**************************************************************************** - Should we override a deny ? Check deprecated 'acl group control' - and 'dos filemode' + Should we override a deny ? Check 'acl group control' and 'dos filemode'. ****************************************************************************/ -static bool acl_group_override(connection_struct *conn, gid_t prim_gid) +static bool acl_group_override(connection_struct *conn, + gid_t prim_gid, + const char *fname) { - if ( (errno == EACCES || errno == EPERM) - && (lp_acl_group_control(SNUM(conn)) || lp_dos_filemode(SNUM(conn))) - && current_user_in_group(prim_gid)) - { - return True; - } + SMB_STRUCT_STAT sbuf; - return False; + if ((errno != EPERM) && (errno != EACCES)) { + return false; + } + + /* file primary group == user primary or supplementary group */ + if (lp_acl_group_control(SNUM(conn)) && + current_user_in_group(prim_gid)) { + return true; + } + + /* user has writeable permission */ + if (lp_dos_filemode(SNUM(conn)) && + can_write_to_file(conn, fname, &sbuf)) { + return true; + } + + return false; } /**************************************************************************** @@ -2563,7 +2575,7 @@ static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool defau *pacl_set_support = False; } - if (acl_group_override(conn, prim_gid)) { + if (acl_group_override(conn, prim_gid, fsp->fsp_name)) { int sret; DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n", @@ -2594,7 +2606,7 @@ static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool defau *pacl_set_support = False; } - if (acl_group_override(conn, prim_gid)) { + if (acl_group_override(conn, prim_gid, fsp->fsp_name)) { int sret; DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n", @@ -3572,7 +3584,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name) == -1) { int sret = -1; - if (acl_group_override(conn, sbuf.st_gid)) { + if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) { DEBUG(5,("set_nt_acl: acl group control on and " "current user in file %s primary group. Override delete_def_acl\n", fsp->fsp_name )); @@ -3619,7 +3631,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) if(SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms) == -1) { int sret = -1; - if (acl_group_override(conn, sbuf.st_gid)) { + if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) { DEBUG(5,("set_nt_acl: acl group control on and " "current user in file %s primary group. Override chmod\n", fsp->fsp_name )); |