diff options
author | tprouty <tprouty@b72e2a10-2d34-0410-9a71-d3beadf02b57> | 2009-08-26 01:38:17 +0000 |
---|---|---|
committer | Tim Prouty <tprouty@samba.org> | 2009-08-26 10:41:55 -0700 |
commit | 17829cbc82b8f647374712285492dbb3210fe346 (patch) | |
tree | 708a052bc509494ee336f87592670daa612690e4 | |
parent | 3ad9d108a7404d625454efda0d000e4caa543e7a (diff) | |
download | samba-17829cbc82b8f647374712285492dbb3210fe346.tar.gz samba-17829cbc82b8f647374712285492dbb3210fe346.tar.bz2 samba-17829cbc82b8f647374712285492dbb3210fe346.zip |
s3 onefs: Canonicalize the ACL in the correct order
-rw-r--r-- | source3/modules/onefs_acl.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/source3/modules/onefs_acl.c b/source3/modules/onefs_acl.c index df4efd58df..2593012805 100644 --- a/source3/modules/onefs_acl.c +++ b/source3/modules/onefs_acl.c @@ -417,23 +417,27 @@ onefs_canon_acl(files_struct *fsp, struct ifs_security_descriptor *sd) * By walking down the list 3 separate times, we can avoid the need * to create multiple temp buffers and extra copies. */ - for (cur = 0; cur < sd->dacl->num_aces; cur++) { - if (sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE) - new_aces[new_aces_count++] = sd->dacl->aces[cur]; - } + /* Explict deny aces first */ for (cur = 0; cur < sd->dacl->num_aces; cur++) { if (!(sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE) && (sd->dacl->aces[cur].type == IFS_ACE_TYPE_ACCESS_DENIED)) new_aces[new_aces_count++] = sd->dacl->aces[cur]; } + /* Explict allow aces second */ for (cur = 0; cur < sd->dacl->num_aces; cur++) { if (!(sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE) && !(sd->dacl->aces[cur].type == IFS_ACE_TYPE_ACCESS_DENIED)) new_aces[new_aces_count++] = sd->dacl->aces[cur]; } + /* Inherited deny/allow aces third */ + for (cur = 0; cur < sd->dacl->num_aces; cur++) { + if ((sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE)) + new_aces[new_aces_count++] = sd->dacl->aces[cur]; + } + SMB_ASSERT(new_aces_count == sd->dacl->num_aces); DEBUG(10, ("Performed canonicalization of ACLs for file %s\n", fsp_str_dbg(fsp))); |