summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2005-03-25 01:30:21 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:56:19 -0500
commit1ca7ec3472e9cb77888f2850930f087b5e5bf761 (patch)
tree9bbeb87416c8385b89fca072a2ae0a996cfaf787
parenta5433c4bf7a256880725173b96af5405c3c2eb9c (diff)
downloadsamba-1ca7ec3472e9cb77888f2850930f087b5e5bf761.tar.gz
samba-1ca7ec3472e9cb77888f2850930f087b5e5bf761.tar.bz2
samba-1ca7ec3472e9cb77888f2850930f087b5e5bf761.zip
r6055: Fix algorithm. If any of the primary or supplementary group ids match
a "allow" entry of GROUP or GROUP_OBJ, then access is allowed. It doesn't terminate on the first match. Added debug to show where the match occured (or didn't). Jeremy. (This used to be commit 81fb3372867fa66a092841222e02bd1c104b2d19)
-rw-r--r--source3/smbd/posix_acls.c20
1 files changed, 18 insertions, 2 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 76b67169f2..33db14aec3 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3860,6 +3860,11 @@ match on user %u -> %s.\n", fname, (unsigned int)*puid, ret ? "can write" : "can
goto check_stat;
}
+ /* If we don't have write permission this entry never matches. */
+ if (have_write == 0) {
+ continue;
+ }
+
switch(tagtype) {
case SMB_ACL_GROUP:
{
@@ -3870,9 +3875,9 @@ match on user %u -> %s.\n", fname, (unsigned int)*puid, ret ? "can write" : "can
for (i = 0; i < current_user.ngroups; i++) {
if (current_user.groups[i] == *pgid) {
/* We're done now we have a gid match. */
- ret = have_write;
+ ret = 1;
DEBUG(10,("check_posix_acl_group_write: file %s \
-match on group %u -> %s.\n", fname, (unsigned int)*pgid, ret ? "can write" : "cannot write"));
+match on group %u -> can write.\n", fname, (unsigned int)*pgid ));
goto done;
}
}
@@ -3886,13 +3891,24 @@ match on group %u -> %s.\n", fname, (unsigned int)*pgid, ret ? "can write" : "ca
check_stat:
+ /* If we get here we know ret == 0. */
+ SMB_ASSERT(ret == 0);
+
for (i = 0; i < current_user.ngroups; i++) {
if (current_user.groups[i] == psbuf->st_gid) {
ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0;
+ DEBUG(10,("check_posix_acl_group_write: file %s \
+match on owning group %u -> %s.\n", fname, (unsigned int)psbuf->st_gid, ret ? "can write" : "cannot write"));
break;
}
}
+ if (i == current_user.ngroups) {
+ SMB_ASSERT(ret == 0);
+ DEBUG(10,("check_posix_acl_group_write: file %s \
+failed to match on user or group in token.\n", fname ));
+ }
+
done:
SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);