summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2001-09-22 06:45:24 +0000
committerJeremy Allison <jra@samba.org>2001-09-22 06:45:24 +0000
commit0492effcf36bc1229d0d2e9250b6c6c36af0b117 (patch)
tree7b818ebc9f8a36d459cb96ffee0e7f428fae43b5
parent81ad252fbc3720939dccbda23ef447af071aab14 (diff)
downloadsamba-0492effcf36bc1229d0d2e9250b6c6c36af0b117.tar.gz
samba-0492effcf36bc1229d0d2e9250b6c6c36af0b117.tar.bz2
samba-0492effcf36bc1229d0d2e9250b6c6c36af0b117.zip
Ignore unmappable (NT Authority, BUILTIN etc.) SIDs in an ACL set.
Jeremy. (This used to be commit bc7963bd643422cce081b6284e3bdd49ae3a02ab)
-rw-r--r--source3/lib/util_sid.c24
-rw-r--r--source3/smbd/posix_acls.c11
2 files changed, 35 insertions, 0 deletions
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index c89c7c70d9..10813a4605 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -566,3 +566,27 @@ size_t sid_size(DOM_SID *sid)
return sid->num_auths * sizeof(uint32) + 8;
}
+
+/*****************************************************************
+ Returns true if SID is internal (and non-mappable).
+*****************************************************************/
+
+BOOL non_mappable_sid(DOM_SID *sid)
+{
+ DOM_SID dom;
+ uint32 rid;
+
+ sid_copy(&dom, sid);
+ sid_split_rid(&dom, &rid);
+
+ if (sid_equal(&dom, &global_sid_Builtin))
+ return True;
+
+ if (sid_equal(&dom, &global_sid_Creator_Owner_Domain))
+ return True;
+
+ if (sid_equal(&dom, &global_sid_NT_Authority))
+ return True;
+
+ return False;
+}
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 18a635336c..64dd51f193 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -715,6 +715,17 @@ static BOOL create_canon_ace_lists(files_struct *fsp,
SEC_ACE *psa = &dacl->ace[i];
/*
+ * Ignore non-mappable SIDs (NT Authority, BUILTIN etc).
+ */
+
+ if (non_mappable_sid(&psa->sid)) {
+ fstring str;
+ DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n",
+ sid_to_string(str, &psa->sid) ));
+ continue;
+ }
+
+ /*
* Create a cannon_ace entry representing this NT DACL ACE.
*/