diff options
author | Jeremy Allison <jra@samba.org> | 2010-10-15 15:56:09 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2010-10-16 01:26:30 +0000 |
commit | 06fc79f1fde5963ef89027e2cd297e866aa8c204 (patch) | |
tree | 7f70ec483d5e59f81650dc44fa8878d14bf86bfc /source3/modules | |
parent | cf45581cdfbe60815c5b278f2c4cbceeb7ca1407 (diff) | |
download | samba-06fc79f1fde5963ef89027e2cd297e866aa8c204.tar.gz samba-06fc79f1fde5963ef89027e2cd297e866aa8c204.tar.bz2 samba-06fc79f1fde5963ef89027e2cd297e866aa8c204.zip |
Add acl_xattr:ignore system acls boolean (normally false) to allow
Samba ACL module to ignore mapping to lower POSIX layer. With this
fix Samba 3.6.x now passes RAW-ACLs (with certain smb.conf parameters
set).
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Oct 16 01:26:31 UTC 2010 on sn-devel-104
Diffstat (limited to 'source3/modules')
-rw-r--r-- | source3/modules/vfs_acl_common.c | 46 | ||||
-rw-r--r-- | source3/modules/vfs_acl_tdb.c | 1 | ||||
-rw-r--r-- | source3/modules/vfs_acl_xattr.c | 2 |
3 files changed, 38 insertions, 11 deletions
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index a6ea75f45c..5fbf686e6b 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -257,6 +257,10 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle, uint8_t hash_tmp[XATTR_SD_HASH_SIZE]; struct security_descriptor *psd = NULL; struct security_descriptor *pdesc_next = NULL; + bool ignore_file_system_acl = lp_parm_bool(SNUM(handle->conn), + ACL_MODULE_NAME, + "ignore system acls", + false); if (fsp && name == NULL) { name = fsp->fsp_name->base_name; @@ -320,6 +324,9 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle, goto out; } + if (ignore_file_system_acl) { + goto out; + } status = hash_sd_sha256(pdesc_next, hash_tmp); if (!NT_STATUS_IS_OK(status)) { @@ -356,28 +363,45 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle, * inheritable ACE entries we have to fake them. */ if (fsp) { - is_directory = fsp->is_directory; + status = vfs_stat_fsp(fsp); + if (!NT_STATUS_IS_OK(status)) { + return status; + } psbuf = &fsp->fsp_name->st; } else { - if (vfs_stat_smb_fname(handle->conn, + int ret = vfs_stat_smb_fname(handle->conn, name, - &sbuf) == 0) { - is_directory = S_ISDIR(sbuf.st_ex_mode); + &sbuf); + if (ret == -1) { + return map_nt_error_from_unix(errno); } } - if (is_directory && + is_directory = S_ISDIR(sbuf.st_ex_mode); + + if (ignore_file_system_acl) { + TALLOC_FREE(pdesc_next); + status = make_default_filesystem_acl(talloc_tos(), + name, + psbuf, + &psd); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + } else { + if (is_directory && !sd_has_inheritable_components(psd, true)) { - add_directory_inheritable_components(handle, + add_directory_inheritable_components(handle, name, psbuf, psd); + } + /* The underlying POSIX module always sets + the ~SEC_DESC_DACL_PROTECTED bit, as ACLs + can't be inherited in this way under POSIX. + Remove it for Windows-style ACLs. */ + psd->type &= ~SEC_DESC_DACL_PROTECTED; } - /* The underlying POSIX module always sets - the ~SEC_DESC_DACL_PROTECTED bit, as ACLs - can't be inherited in this way under POSIX. - Remove it for Windows-style ACLs. */ - psd->type &= ~SEC_DESC_DACL_PROTECTED; } if (!(security_info & SECINFO_OWNER)) { diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c index f31e09332a..6364b7b9f8 100644 --- a/source3/modules/vfs_acl_tdb.c +++ b/source3/modules/vfs_acl_tdb.c @@ -29,6 +29,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_VFS +#define ACL_MODULE_NAME "acl_tdb" #include "modules/vfs_acl_common.c" static unsigned int ref_count; diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index 18f2d42784..e486e2064d 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -29,6 +29,8 @@ #define DBGC_CLASS DBGC_VFS /* Pull in the common functions. */ +#define ACL_MODULE_NAME "acl_xattr" + #include "modules/vfs_acl_common.c" /******************************************************************* |