summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortprouty <tprouty@b72e2a10-2d34-0410-9a71-d3beadf02b57>2009-08-26 01:38:17 +0000
committerTim Prouty <tprouty@samba.org>2009-08-26 10:41:55 -0700
commit17829cbc82b8f647374712285492dbb3210fe346 (patch)
tree708a052bc509494ee336f87592670daa612690e4
parent3ad9d108a7404d625454efda0d000e4caa543e7a (diff)
downloadsamba-17829cbc82b8f647374712285492dbb3210fe346.tar.gz
samba-17829cbc82b8f647374712285492dbb3210fe346.tar.bz2
samba-17829cbc82b8f647374712285492dbb3210fe346.zip
s3 onefs: Canonicalize the ACL in the correct order
-rw-r--r--source3/modules/onefs_acl.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/source3/modules/onefs_acl.c b/source3/modules/onefs_acl.c
index df4efd58df..2593012805 100644
--- a/source3/modules/onefs_acl.c
+++ b/source3/modules/onefs_acl.c
@@ -417,23 +417,27 @@ onefs_canon_acl(files_struct *fsp, struct ifs_security_descriptor *sd)
* By walking down the list 3 separate times, we can avoid the need
* to create multiple temp buffers and extra copies.
*/
- for (cur = 0; cur < sd->dacl->num_aces; cur++) {
- if (sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE)
- new_aces[new_aces_count++] = sd->dacl->aces[cur];
- }
+ /* Explict deny aces first */
for (cur = 0; cur < sd->dacl->num_aces; cur++) {
if (!(sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE) &&
(sd->dacl->aces[cur].type == IFS_ACE_TYPE_ACCESS_DENIED))
new_aces[new_aces_count++] = sd->dacl->aces[cur];
}
+ /* Explict allow aces second */
for (cur = 0; cur < sd->dacl->num_aces; cur++) {
if (!(sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE) &&
!(sd->dacl->aces[cur].type == IFS_ACE_TYPE_ACCESS_DENIED))
new_aces[new_aces_count++] = sd->dacl->aces[cur];
}
+ /* Inherited deny/allow aces third */
+ for (cur = 0; cur < sd->dacl->num_aces; cur++) {
+ if ((sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE))
+ new_aces[new_aces_count++] = sd->dacl->aces[cur];
+ }
+
SMB_ASSERT(new_aces_count == sd->dacl->num_aces);
DEBUG(10, ("Performed canonicalization of ACLs for file %s\n",
fsp_str_dbg(fsp)));