summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2005-03-25 01:30:21 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:56:19 -0500
commit1ca7ec3472e9cb77888f2850930f087b5e5bf761 (patch)
tree9bbeb87416c8385b89fca072a2ae0a996cfaf787 /source3/smbd
parenta5433c4bf7a256880725173b96af5405c3c2eb9c (diff)
downloadsamba-1ca7ec3472e9cb77888f2850930f087b5e5bf761.tar.gz
samba-1ca7ec3472e9cb77888f2850930f087b5e5bf761.tar.bz2
samba-1ca7ec3472e9cb77888f2850930f087b5e5bf761.zip
r6055: Fix algorithm. If any of the primary or supplementary group ids match
a "allow" entry of GROUP or GROUP_OBJ, then access is allowed. It doesn't terminate on the first match. Added debug to show where the match occured (or didn't). Jeremy. (This used to be commit 81fb3372867fa66a092841222e02bd1c104b2d19)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/posix_acls.c20
1 files changed, 18 insertions, 2 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 76b67169f2..33db14aec3 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3860,6 +3860,11 @@ match on user %u -> %s.\n", fname, (unsigned int)*puid, ret ? "can write" : "can
goto check_stat;
}
+ /* If we don't have write permission this entry never matches. */
+ if (have_write == 0) {
+ continue;
+ }
+
switch(tagtype) {
case SMB_ACL_GROUP:
{
@@ -3870,9 +3875,9 @@ match on user %u -> %s.\n", fname, (unsigned int)*puid, ret ? "can write" : "can
for (i = 0; i < current_user.ngroups; i++) {
if (current_user.groups[i] == *pgid) {
/* We're done now we have a gid match. */
- ret = have_write;
+ ret = 1;
DEBUG(10,("check_posix_acl_group_write: file %s \
-match on group %u -> %s.\n", fname, (unsigned int)*pgid, ret ? "can write" : "cannot write"));
+match on group %u -> can write.\n", fname, (unsigned int)*pgid ));
goto done;
}
}
@@ -3886,13 +3891,24 @@ match on group %u -> %s.\n", fname, (unsigned int)*pgid, ret ? "can write" : "ca
check_stat:
+ /* If we get here we know ret == 0. */
+ SMB_ASSERT(ret == 0);
+
for (i = 0; i < current_user.ngroups; i++) {
if (current_user.groups[i] == psbuf->st_gid) {
ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0;
+ DEBUG(10,("check_posix_acl_group_write: file %s \
+match on owning group %u -> %s.\n", fname, (unsigned int)psbuf->st_gid, ret ? "can write" : "cannot write"));
break;
}
}
+ if (i == current_user.ngroups) {
+ SMB_ASSERT(ret == 0);
+ DEBUG(10,("check_posix_acl_group_write: file %s \
+failed to match on user or group in token.\n", fname ));
+ }
+
done:
SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);