diff options
| author | Christian Ambach <christian.ambach@de.ibm.com> | 2009-07-09 14:45:23 +0200 |
|---|---|---|
| committer | Volker Lendecke <vl@samba.org> | 2009-07-14 09:21:26 +0200 |
| commit | bd58a1461724eb92c9fedd014edb7465f5a16b40 (patch) | |
| tree | 624a662a3919770f5c65776fe5067dec16de5e28 | |
| parent | e67de63ba6c6de60400e7deb4664d259f6dfb638 (diff) | |
| download | samba-bd58a1461724eb92c9fedd014edb7465f5a16b40.tar.gz samba-bd58a1461724eb92c9fedd014edb7465f5a16b40.tar.bz2 samba-bd58a1461724eb92c9fedd014edb7465f5a16b40.zip | |
reject ACLs with DESC_DACL_PROTECTED on GPFS
as GPFS does not support the ACE4_FLAG_NO_PROPAGATE NFSv4 flag (which would be the mapping for the DESC_DACL_PROTECTED flag), the status of this flag is currently silently ignored by Samba. That means that if you deselect the "Allow inheritable permissions..." checkbox in Windows' ACL dialog and then apply the ACL, the flag will be back immediately.
To make sure that automatic migration with e.g. robocopy does not lead to ACLs silently (and unintentionally) changed, this patch adds an explicit check for this flag and if set, it will return NT_STATUS_NOT_SUPPORTED so errors are shown up on the Windows side and the Administrator is aware of the ACLs not being settable like intended
Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
| -rw-r--r-- | source3/modules/vfs_gpfs.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c index 47858cb352..ffa8db00b3 100644 --- a/source3/modules/vfs_gpfs.c +++ b/source3/modules/vfs_gpfs.c @@ -445,6 +445,11 @@ static NTSTATUS gpfsacl_set_nt_acl_internal(files_struct *fsp, uint32 security_i if (acl->acl_version&GPFS_ACL_VERSION_NFS4) { + if ((psd->type&SEC_DESC_DACL_PROTECTED)) { + DEBUG(2, ("Rejecting unsupported ACL with DACL_PROTECTED bit set\n")); + return NT_STATUS_NOT_SUPPORTED; + } + result = smb_set_nt_acl_nfs4( fsp, security_info_sent, psd, gpfsacl_process_smbacl); |