summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2011-04-14 13:20:08 -0700
committerJeremy Allison <jra@samba.org>2011-04-14 13:20:08 -0700
commit182eea9ae26804d7f4eedcfa09eef0342ec3db5a (patch)
tree80e1af1c223b21af0313006e3f42845da72099b3
parent9c2ba9436d1abe66c493a512702101f631946cdf (diff)
downloadsamba-182eea9ae26804d7f4eedcfa09eef0342ec3db5a.tar.gz
samba-182eea9ae26804d7f4eedcfa09eef0342ec3db5a.tar.bz2
samba-182eea9ae26804d7f4eedcfa09eef0342ec3db5a.zip
Fix bug #8083 - "inherit owner = yes" doesn't interact correctly with vfs_acl_xattr or vfs_acl_tdb module.
If "inherit owner = yes", pass in the directory owner and group owner as the target for CREATOR_OWNER and CREATOR_GROUP substitutions, and also as the owner and primary group of the new security descriptor being applied to the object. Jeremy.
-rw-r--r--source3/modules/vfs_acl_common.c30
1 files changed, 27 insertions, 3 deletions
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 5edcb4bc06..6c57acb13d 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -446,6 +446,9 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
TALLOC_CTX *ctx = talloc_tos();
NTSTATUS status = NT_STATUS_OK;
struct security_descriptor *psd = NULL;
+ struct dom_sid *owner_sid = NULL;
+ struct dom_sid *group_sid = NULL;
+ bool inherit_owner = lp_inherit_owner(SNUM(handle->conn));
size_t size;
if (!sd_has_inheritable_components(parent_desc, is_directory)) {
@@ -460,12 +463,25 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
NDR_PRINT_DEBUG(security_descriptor, parent_desc);
}
+ /* Inherit from parent descriptor if "inherit owner" set. */
+ if (inherit_owner) {
+ owner_sid = parent_desc->owner_sid;
+ group_sid = parent_desc->group_sid;
+ }
+
+ if (owner_sid == NULL) {
+ owner_sid = &handle->conn->session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
+ }
+ if (group_sid == NULL) {
+ group_sid = &handle->conn->session_info->security_token->sids[PRIMARY_GROUP_SID_INDEX];
+ }
+
status = se_create_child_secdesc(ctx,
&psd,
&size,
parent_desc,
- &handle->conn->session_info->security_token->sids[PRIMARY_USER_SID_INDEX],
- &handle->conn->session_info->security_token->sids[PRIMARY_GROUP_SID_INDEX],
+ owner_sid,
+ group_sid,
is_directory);
if (!NT_STATUS_IS_OK(status)) {
return status;
@@ -477,11 +493,19 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
NDR_PRINT_DEBUG(security_descriptor, psd);
}
- return SMB_VFS_FSET_NT_ACL(fsp,
+ if (inherit_owner) {
+ /* We need to be root to force this. */
+ become_root();
+ }
+ status = SMB_VFS_FSET_NT_ACL(fsp,
(SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL),
psd);
+ if (inherit_owner) {
+ unbecome_root();
+ }
+ return status;
}
static NTSTATUS get_parent_acl_common(vfs_handle_struct *handle,