When creating a new file/directory, we need to obey the create mask/directory mask parameters.

Currently we call FSET_NT_ACL to inherit any ACLs on create. However
FSET_NT_ACL uses the security mask/directory security mask parameters
instead of the create mask/directory mask parameters.

Swap them temporarily when creating to ensure the correct masks
are applied.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct  2 22:27:17 CEST 2012 on sn-devel-104

1 files changed, 15 insertions, 0 deletions

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index d4babd40f7..bea4d99285 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3436,6 +3436,9 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
 	bool inherit_owner = lp_inherit_owner(SNUM(fsp->conn));
 	bool inheritable_components = false;
 	size_t size = 0;
+	int orig_security_mask = 0;
+	int orig_directory_security_mask = 0;
+	int snum = SNUM(fsp->conn);
 
 	if (!parent_dirname(ctx, fsp->fsp_name->base_name, &parent_name, NULL)) {
 		return NT_STATUS_NO_MEMORY;
@@ -3506,6 +3509,14 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
 		NDR_PRINT_DEBUG(security_descriptor, psd);
 	}
 
+	/* Temporarily replace the security masks with the create masks,
+	   as we're actually doing a create here - we only call this
+	   when we've created a file or directory - but there's no
+	   way for FSET_NT_ACL to know the difference. */
+
+	orig_security_mask = lp_set_security_mask(snum, lp_create_mask(snum));
+	orig_directory_security_mask = lp_set_directory_security_mask(snum, lp_dir_mask(snum));
+
 	if (inherit_owner) {
 		/* We need to be root to force this. */
 		become_root();
@@ -3516,6 +3527,10 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
 	if (inherit_owner) {
 		unbecome_root();
 	}
+
+	(void)lp_set_security_mask(snum, orig_security_mask);
+	(void)lp_set_directory_security_mask(snum, orig_directory_security_mask);
+
 	return status;
 }