s3-smbd: Create a shortcut for building the token of a user by SID for posix_acls

When a user owns a file, but does not have specific permissions on that file, we need to
make up the user permissions.  This change ensures that the first thing that we do
is to look up the SID, and confirm it is a user.  Then, we avoid the getpwnam()
and directly create the token via the SID.

Andrew Bartlett

Signed-off-by: Jeremy Allison <jra@samba.org>

1 files changed, 2 insertions, 10 deletions

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 59f8e0cd44..3f421061f8 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1310,8 +1310,6 @@ static void apply_default_perms(const struct share_params *params,
 
 static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
 {
-	const char *u_name = NULL;
-
 	/* "Everyone" always matches every uid. */
 
 	if (dom_sid_equal(&group_ace->trustee, &global_sid_World))
@@ -1337,19 +1335,13 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano
 		}
 	}
 
-	/* u_name talloc'ed off tos. */
-	u_name = uidtoname(uid_ace->unix_ug.uid);
-	if (!u_name) {
-		return False;
-	}
-
 	/*
-	 * user_in_group_sid() uses create_token_from_username()
+	 * user_in_group_sid() uses create_token_from_sid()
 	 * which creates an artificial NT token given just a username,
 	 * so this is not reliable for users from foreign domains
 	 * exported by winbindd!
 	 */
-	return user_in_group_sid(u_name, &group_ace->trustee);
+	return user_sid_in_group_sid(&uid_ace->trustee, &group_ace->trustee);
 }
 
 /****************************************************************************