summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Adam <obnox@samba.org>2012-12-05 15:04:01 +0100
committerJeremy Allison <jra@samba.org>2012-12-05 16:35:07 -0800
commit2013bb9b4dbed747921df2591068e2765428f57d (patch)
tree2a36d8abb75ec60e674aa5ed14447ddc9692b7e9
parent943797c232f96a5dd411a803ad90b6980b2785b0 (diff)
downloadsamba-2013bb9b4dbed747921df2591068e2765428f57d.tar.gz
samba-2013bb9b4dbed747921df2591068e2765428f57d.tar.bz2
samba-2013bb9b4dbed747921df2591068e2765428f57d.zip
s3:smbd: don't apply create/directory mask and modes in apply_default_perms()
The mask/mode parameters should only apply to a situation with only pure posix permissions. Once we are dealing with ACLs and inheritance, we need to do it correctly. This fixes bug #9462: Users can not be given write permissions any more by default Signed-off-by: Michael Adam <obnox@samba.org> Reviewed by: Jeremy Allison <jra@samba.org>
-rw-r--r--source3/smbd/posix_acls.c88
1 files changed, 11 insertions, 77 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 9a136c00c0..c4d24baba5 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1236,48 +1236,19 @@ NTSTATUS unpack_nt_owners(struct connection_struct *conn,
return NT_STATUS_OK;
}
-/****************************************************************************
- Ensure the enforced permissions for this share apply.
-****************************************************************************/
-static void apply_default_perms(const struct share_params *params,
- const bool is_directory, canon_ace *pace,
- mode_t type)
+static void trim_ace_perms(canon_ace *pace)
{
- mode_t and_bits = (mode_t)0;
- mode_t or_bits = (mode_t)0;
-
- /* Get the initial bits to apply. */
+ pace->perms = pace->perms & (S_IXUSR|S_IWUSR|S_IRUSR);
+}
+static void ensure_minimal_owner_ace_perms(const bool is_directory,
+ canon_ace *pace)
+{
+ pace->perms |= S_IRUSR;
if (is_directory) {
- and_bits = lp_dir_mask(params->service);
- or_bits = lp_force_dir_mode(params->service);
- } else {
- and_bits = lp_create_mask(params->service);
- or_bits = lp_force_create_mode(params->service);
- }
-
- /* Now bounce them into the S_USR space. */
- switch(type) {
- case S_IRUSR:
- /* Ensure owner has read access. */
- pace->perms |= S_IRUSR;
- if (is_directory)
- pace->perms |= (S_IWUSR|S_IXUSR);
- and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
- or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
- break;
- case S_IRGRP:
- and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
- or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
- break;
- case S_IROTH:
- and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
- or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
- break;
+ pace->perms |= (S_IWUSR|S_IXUSR);
}
-
- pace->perms = ((pace->perms & and_bits)|or_bits);
}
/****************************************************************************
@@ -1430,45 +1401,14 @@ static bool ensure_canon_entry_valid_on_set(connection_struct *conn,
bool got_duplicate_group = false;
for (pace = *pp_ace; pace; pace = pace->next) {
+ trim_ace_perms(pace);
if (pace->type == SMB_ACL_USER_OBJ) {
- /*
- * Ensure we have default parameters for the
- * user (owner) even on default ACLs.
- */
- apply_default_perms(params, is_directory, pace, S_IRUSR);
+ ensure_minimal_owner_ace_perms(is_directory, pace);
pace_user = pace;
-
} else if (pace->type == SMB_ACL_GROUP_OBJ) {
-
- /*
- * Ensure create mask/force create mode is respected on set.
- */
-
- if (!is_default_acl) {
- apply_default_perms(params, is_directory, pace, S_IRGRP);
- }
pace_group = pace;
-
} else if (pace->type == SMB_ACL_OTHER) {
-
- /*
- * Ensure create mask/force create mode is respected on set.
- */
-
- if (!is_default_acl) {
- apply_default_perms(params, is_directory, pace, S_IROTH);
- }
pace_other = pace;
-
- } else if (pace->type == SMB_ACL_USER || pace->type == SMB_ACL_GROUP) {
-
- /*
- * Ensure create mask/force create mode is respected on set.
- */
-
- if (!is_default_acl) {
- apply_default_perms(params, is_directory, pace, S_IRGRP);
- }
}
}
@@ -1520,7 +1460,7 @@ static bool ensure_canon_entry_valid_on_set(connection_struct *conn,
* Ensure we have default parameters for the
* user (owner) even on default ACLs.
*/
- apply_default_perms(params, is_directory, pace, S_IRUSR);
+ ensure_minimal_owner_ace_perms(is_directory, pace);
DLIST_ADD(*pp_ace, pace);
pace_user = pace;
@@ -1546,9 +1486,6 @@ static bool ensure_canon_entry_valid_on_set(connection_struct *conn,
} else {
pace->perms = 0;
}
- if (!is_default_acl) {
- apply_default_perms(params, is_directory, pace, S_IRGRP);
- }
DLIST_ADD(*pp_ace, pace);
pace_group = pace;
@@ -1568,9 +1505,6 @@ static bool ensure_canon_entry_valid_on_set(connection_struct *conn,
pace->trustee = global_sid_World;
pace->attr = ALLOW_ACE;
pace->perms = 0;
- if (!is_default_acl) {
- apply_default_perms(params, is_directory, pace, S_IROTH);
- }
DLIST_ADD(*pp_ace, pace);
pace_other = pace;