diff options
-rw-r--r-- | docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml | 30 | ||||
-rw-r--r-- | lib/param/loadparm.c | 4 | ||||
-rw-r--r-- | selftest/knownfail.d/samba3.smb2.acls_non_canonical | 1 | ||||
-rwxr-xr-x | selftest/target/Samba3.pm | 1 | ||||
-rw-r--r-- | source3/param/loadparm.c | 1 | ||||
-rw-r--r-- | source3/smbd/nttrans.c | 5 |
6 files changed, 41 insertions, 1 deletions
diff --git a/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml b/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml new file mode 100644 index 00000000000..676d5b478a3 --- /dev/null +++ b/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml @@ -0,0 +1,30 @@ +<samba:parameter name="acl flag inherited canonicalization" + context="S" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option controls the way Samba handles client requests setting + the Security Descriptor of files and directories and the effect the + operation has on the Security Descriptor flag "DACL + auto-inherited" (DI). Generally, this flag is set on a file (or + directory) upon creation if the parent directory has DI set and also has + inheritable ACEs. + </para> + + <para>On the other hand when a Security Descriptor is explicitly set on + a file, the DI flag is cleared, unless the flag "DACL Inheritance + Required" (DR) is also set in the new Security Descriptor (fwiw, DR is + never stored on disk).</para> + + <para>This is the default behaviour when this option is enabled (the + default). When setting this option to <command>no</command>, the + resulting value of the DI flag on-disk is directly taken from the DI + value of the to-be-set Security Descriptor. This can be used so dump + tools like rsync that copy data blobs from xattrs that represent ACLs + created by the acl_xattr VFS module will result in copies of the ACL + that are identical to the source. Without this option, the copied ACLs + would all loose the DI flag if set on the source.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index b674858e706..54920b85027 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2960,6 +2960,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) "smbd max xattr size", "65536"); + lpcfg_do_global_parameter(lp_ctx, + "acl flag inherited canonicalization", + "yes"); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/selftest/knownfail.d/samba3.smb2.acls_non_canonical b/selftest/knownfail.d/samba3.smb2.acls_non_canonical deleted file mode 100644 index b3ebece42be..00000000000 --- a/selftest/knownfail.d/samba3.smb2.acls_non_canonical +++ /dev/null @@ -1 +0,0 @@ -^samba3.smb2.acls_non_canonical.flags.* diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 5143eda4194..84d3fd362ec 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -3070,6 +3070,7 @@ sub provision($$) [acls_non_canonical] copy = tmp + acl flag inherited canonicalization = no "; close(CONF); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 85e578eda9e..d3b9de4a09a 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -240,6 +240,7 @@ static const struct loadparm_service _sDefault = .acl_map_full_control = true, .acl_group_control = false, .acl_allow_execute_always = false, + .acl_flag_inherited_canonicalization = true, .aio_read_size = 1, .aio_write_size = 1, .map_readonly = MAP_READONLY_NO, diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 50e0a5f2f01..00f551595d7 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -965,6 +965,11 @@ static void canonicalize_inheritance_bits(struct files_struct *fsp, * for details. */ + if (!lp_acl_flag_inherited_canonicalization(SNUM(fsp->conn))) { + psd->type &= ~SEC_DESC_DACL_AUTO_INHERIT_REQ; + return; + } + if ((psd->type & (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) == (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) { set_auto_inherited = true; |