diff options
author | Jeremy Allison <jra@samba.org> | 2011-04-14 13:20:08 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2011-04-14 13:20:08 -0700 |
commit | 182eea9ae26804d7f4eedcfa09eef0342ec3db5a (patch) | |
tree | 80e1af1c223b21af0313006e3f42845da72099b3 /source3/modules | |
parent | 9c2ba9436d1abe66c493a512702101f631946cdf (diff) | |
download | samba-182eea9ae26804d7f4eedcfa09eef0342ec3db5a.tar.gz samba-182eea9ae26804d7f4eedcfa09eef0342ec3db5a.tar.bz2 samba-182eea9ae26804d7f4eedcfa09eef0342ec3db5a.zip |
Fix bug #8083 - "inherit owner = yes" doesn't interact correctly with vfs_acl_xattr or vfs_acl_tdb module.
If "inherit owner = yes", pass in the directory owner and group
owner as the target for CREATOR_OWNER and CREATOR_GROUP substitutions,
and also as the owner and primary group of the new security descriptor
being applied to the object.
Jeremy.
Diffstat (limited to 'source3/modules')
-rw-r--r-- | source3/modules/vfs_acl_common.c | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index 5edcb4bc06..6c57acb13d 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -446,6 +446,9 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, TALLOC_CTX *ctx = talloc_tos(); NTSTATUS status = NT_STATUS_OK; struct security_descriptor *psd = NULL; + struct dom_sid *owner_sid = NULL; + struct dom_sid *group_sid = NULL; + bool inherit_owner = lp_inherit_owner(SNUM(handle->conn)); size_t size; if (!sd_has_inheritable_components(parent_desc, is_directory)) { @@ -460,12 +463,25 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, NDR_PRINT_DEBUG(security_descriptor, parent_desc); } + /* Inherit from parent descriptor if "inherit owner" set. */ + if (inherit_owner) { + owner_sid = parent_desc->owner_sid; + group_sid = parent_desc->group_sid; + } + + if (owner_sid == NULL) { + owner_sid = &handle->conn->session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; + } + if (group_sid == NULL) { + group_sid = &handle->conn->session_info->security_token->sids[PRIMARY_GROUP_SID_INDEX]; + } + status = se_create_child_secdesc(ctx, &psd, &size, parent_desc, - &handle->conn->session_info->security_token->sids[PRIMARY_USER_SID_INDEX], - &handle->conn->session_info->security_token->sids[PRIMARY_GROUP_SID_INDEX], + owner_sid, + group_sid, is_directory); if (!NT_STATUS_IS_OK(status)) { return status; @@ -477,11 +493,19 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, NDR_PRINT_DEBUG(security_descriptor, psd); } - return SMB_VFS_FSET_NT_ACL(fsp, + if (inherit_owner) { + /* We need to be root to force this. */ + become_root(); + } + status = SMB_VFS_FSET_NT_ACL(fsp, (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL), psd); + if (inherit_owner) { + unbecome_root(); + } + return status; } static NTSTATUS get_parent_acl_common(vfs_handle_struct *handle, |