Added some useful debugging stuff.

Fixes for se_access_check() when you are the owner of the object.
(This used to be commit 1478198b709b26d0007a8ff0586c34fc6f37a9d2)

1 files changed, 66 insertions, 10 deletions

diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index f9cfcb835b..6c38300bb3 100644
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -153,6 +153,38 @@ static BOOL check_ace(SEC_ACE *ace, BOOL is_owner, DOM_SID *sid,
 		return False;
 	}
 
+	/* Some debugging stuff */
+
+	if (DEBUGLEVEL >= 3) {
+		fstring ace_sid_str, sid_str;
+		fstring ace_name, ace_name_dom, name, name_dom;
+		uint8 name_type;
+		
+		sid_to_string(sid_str, sid);
+		sid_to_string(ace_sid_str, &ace->sid);
+
+	        if (!winbind_lookup_sid(sid, name_dom, name, &name_type)) {
+			fstrcpy(name_dom, "UNKNOWN");
+			fstrcpy(name, "UNKNOWN");
+		}
+
+		if (!winbind_lookup_sid(&ace->sid, ace_name_dom, ace_name, 
+					&name_type)) {
+			fstrcpy(ace_name_dom, "UNKNOWN");
+			fstrcpy(ace_name, "UNKNOWN");
+		}
+
+		DEBUG(3, ("checking %s ACE sid %s (%s%s%s) mask 0x%08x "
+			  "against sid %s (%s%s%s)\n",
+			  (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? 
+			  "allowed" : ((ace->type ==
+					SEC_ACE_TYPE_ACCESS_DENIED) ?
+				       "denied" : "unknown"),
+			  ace_sid_str, ace_name_dom, lp_winbind_separator(),
+			  ace_name, mask, sid_str, name_dom,
+			  lp_winbind_separator(), name));
+	}
+
 	/* Only owner allowed write-owner rights */
 
 	if (!is_owner) {
@@ -178,6 +210,7 @@ static BOOL check_ace(SEC_ACE *ace, BOOL is_owner, DOM_SID *sid,
 				if (ace_grant(mask, acc_desired, 
 					      acc_granted)) {
 					*status = NT_STATUS_NO_PROBLEMO;
+					DEBUG(3, ("access granted\n"));
 					return True;
 				}
 			}
@@ -199,6 +232,7 @@ static BOOL check_ace(SEC_ACE *ace, BOOL is_owner, DOM_SID *sid,
 				if (ace_deny(mask, acc_desired, 
 					     acc_granted)) {
 					*status = NT_STATUS_ACCESS_DENIED;
+					DEBUG(3, ("access denied\n"));
 					return True;
 				}
 			}
@@ -240,7 +274,6 @@ BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
 {
 	DOM_SID user_sid, group_sid;
 	DOM_SID **group_sids = NULL;
-	BOOL is_owner;
 	int i, j, ngroup_sids = 0;
 	SEC_ACL *acl;
 	uint8 check_ace_type;
@@ -279,24 +312,47 @@ BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
 		DEBUG(3, ("could not lookup sid for uid %d\n", uid));
 	}
 
+	/* If we're the owner, then we can do anything */
+
+	if (sid_equal(&user_sid, sd->owner_sid)) {
+		*status = NT_STATUS_NOPROBLEMO;
+		*acc_granted = acc_desired;
+		acc_desired = 0;
+
+                goto done;
+	}
+
 	/* Create group sid */
 
 	if (!winbind_gid_to_sid(gid, &group_sid)) {
 		DEBUG(3, ("could not lookup sid for gid %d\n", gid));
 	}
 
-	/* Preparation: check owner sid, create array of group sids */
+	/* Create array of group sids */
 
-	is_owner = sid_equal(&user_sid, sd->owner_sid);
 	add_sid_to_array(&ngroup_sids, &group_sids, &group_sid);
 
 	for (i = 0; i < ngroups; i++) {
-		if (groups[i] != gid &&
-		    winbind_gid_to_sid(groups[i], &group_sid)) {
-			add_sid_to_array(&ngroup_sids, &group_sids, 
-					 &group_sid);
-		} else {
-			DEBUG(3, ("could not lookup sid for gid %d\n", gid));
+		if (groups[i] != gid) {
+			if (winbind_gid_to_sid(groups[i], &group_sid)) {
+
+				/* If we're a group member then we can also
+				   do anything */
+
+				if (sid_equal(&group_sid, sd->grp_sid)) {
+					*status = NT_STATUS_NOPROBLEMO;
+					*acc_granted = acc_desired;
+					acc_desired = 0;
+
+					goto done;
+				}
+
+				add_sid_to_array(&ngroup_sids, &group_sids, 
+						 &group_sid);
+			} else {
+				DEBUG(3, ("could not lookup sid for gid %d\n", 
+					  gid));
+			}
 		}
 	}
 
@@ -335,7 +391,7 @@ BOOL se_access_check(SEC_DESC *sd, uid_t uid, gid_t gid, int ngroups,
 		/* Check user sid */
 
                 if (ace->type == check_ace_type &&
-		    check_ace(ace, is_owner, &user_sid, &acc_desired,
+		    check_ace(ace, False, &user_sid, &acc_desired,
 			      acc_granted, status)) {
 			goto done;
                 }