diff options
author | Christian Ambach <christian.ambach@de.ibm.com> | 2009-07-05 16:03:15 +0200 |
---|---|---|
committer | Volker Lendecke <vl@samba.org> | 2009-07-06 12:28:52 +0200 |
commit | 5e7da42f6ea768a1e2eeeb15b8b2c41cdfcac94f (patch) | |
tree | 0ce62d459cf3a1a0ee795d77db6d7d0e9048777d | |
parent | 8f3f62e9d6326936bd39b4e1ca127677b9e09d19 (diff) | |
download | samba-5e7da42f6ea768a1e2eeeb15b8b2c41cdfcac94f.tar.gz samba-5e7da42f6ea768a1e2eeeb15b8b2c41cdfcac94f.tar.bz2 samba-5e7da42f6ea768a1e2eeeb15b8b2c41cdfcac94f.zip |
do not merge ACEs with different SMB_ACE4_INHERIT_ONLY_ACE flag, this leads to wrong inheritance flags in the ACL e.g. (on GPFS) user:10000036:rwxc:allow (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
user:10000036:rwxc:allow:FileInherit:DirInherit:InheritOnly
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
group:10000005:rwxc:allow
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
group:10000005:rwxc:allow:FileInherit:DirInherit:InheritOnly
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
would be merged to
user:10000036:rwxc:allow:FileInherit:DirInherit:InheritOnly
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
group:10000005:rwxc:allow:FileInherit:DirInherit:InheritOnly
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
so the explicit right for the user on the parent directory will be gone (the InheritOnly flag only accounts to subdirectories)
thus leaving the user without access to the directory itself
Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
-rw-r--r-- | source3/modules/nfs4_acls.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index b213138c80..70bdaa8826 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -433,8 +433,15 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special( for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) { SMB_ACE4PROP_T *ace = &aceint->prop; + DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x " + "new type:0x%x flags:0x%x aceFlags:0x%x\n", + ace->aceType, ace->flags, ace->aceFlags, + aceNew->aceType, aceNew->flags,aceNew->aceFlags)); + if (ace->flags == aceNew->flags && ace->aceType==aceNew->aceType && + ((ace->aceFlags&SMB_ACE4_INHERIT_ONLY_ACE)== + (aceNew->aceFlags&SMB_ACE4_INHERIT_ONLY_ACE)) && (ace->aceFlags&SMB_ACE4_IDENTIFIER_GROUP)== (aceNew->aceFlags&SMB_ACE4_IDENTIFIER_GROUP) ) { |