summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-05-09 12:11:45 +1000
committerAndrew Bartlett <abartlet@samba.org>2012-05-17 03:17:05 +0200
commit59106473d37044adf5f1edde24221e1f70f15972 (patch)
treefd1a70c68abdd8cae92d50b940af8a127c9605d6
parent70be41c772d69d36ea8f434187be8bfd6b5f38a0 (diff)
downloadsamba-59106473d37044adf5f1edde24221e1f70f15972.tar.gz
samba-59106473d37044adf5f1edde24221e1f70f15972.tar.bz2
samba-59106473d37044adf5f1edde24221e1f70f15972.zip
s3-smbd: Do not merge UID ACE values with GID ACE values for posix ACL
This might happen when we get a SID mapped to IDMAP_BOTH. Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org>
-rw-r--r--source3/smbd/posix_acls.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index bbf0eae0f1..a313190fd2 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -949,15 +949,21 @@ static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
/* For file ACLs we can merge if the SIDs and ALLOW/DENY
* types are the same. For directory acls we must also
- * ensure the POSIX ACL types are the same. */
+ * ensure the POSIX ACL types are the same.
+ *
+ * For the IDMAP_BOTH case, we must not merge
+ * the UID and GID ACE values for same SID
+ */
if (!dir_acl) {
can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
- (curr_ace->attr == curr_ace_outer->attr));
+ curr_ace->owner_type == curr_ace_outer->owner_type &&
+ (curr_ace->attr == curr_ace_outer->attr));
} else {
can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
- (curr_ace->type == curr_ace_outer->type) &&
- (curr_ace->attr == curr_ace_outer->attr));
+ curr_ace->owner_type == curr_ace_outer->owner_type &&
+ (curr_ace->type == curr_ace_outer->type) &&
+ (curr_ace->attr == curr_ace_outer->attr));
}
if (can_merge) {
@@ -1005,7 +1011,8 @@ static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
*/
if (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
- (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
+ (curr_ace->owner_type == curr_ace_outer->owner_type) &&
+ (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
if( DEBUGLVL( 10 )) {
dbgtext("merge_aces: Masking ACE's\n");