diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2012-08-07 12:11:50 +1000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2012-08-10 14:38:47 -0700 |
| commit | c991ac0ebf13bf7832b33dffca388f6f14755fbb (patch) | |
| tree | 9c9f7fbf6f0bddac618bc906cc44f5f124ab01db /source3/smbd | |
| parent | d3188a0480e067ecd8c7ac65ebd9dfc5f2132b41 (diff) | |
| download | samba-c991ac0ebf13bf7832b33dffca388f6f14755fbb.tar.gz samba-c991ac0ebf13bf7832b33dffca388f6f14755fbb.tar.bz2 samba-c991ac0ebf13bf7832b33dffca388f6f14755fbb.zip | |
s3-smbd: Merge ACE entries based on mapped UID/GID not SID
As the test for a valid posix ACL is based on the unix uid/gid only appearing once in the ACL
the merge process also needs to be UID/GID based.
This is a problem when we have multiple builtin groups mapped to the same POSIX group
as happens in a Samba4 provision.
Andrew Bartlett
Signed-off-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/posix_acls.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index f07f72ebb7..3485974320 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -919,7 +919,7 @@ void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid *powner_sid, } /**************************************************************************** - Merge aces with a common sid - if both are allow or deny, OR the permissions together and + Merge aces with a common UID or GID - if both are allow or deny, OR the permissions together and delete the second one. If the first is deny, mask the permissions off and delete the allow if the permissions become zero, delete the deny if the permissions are non zero. ****************************************************************************/ @@ -955,11 +955,11 @@ static void merge_aces( canon_ace **pp_list_head, bool dir_acl) */ if (!dir_acl) { - can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) && + can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id && curr_ace->owner_type == curr_ace_outer->owner_type && (curr_ace->attr == curr_ace_outer->attr)); } else { - can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) && + can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id && curr_ace->owner_type == curr_ace_outer->owner_type && (curr_ace->type == curr_ace_outer->type) && (curr_ace->attr == curr_ace_outer->attr)); @@ -1009,7 +1009,7 @@ static void merge_aces( canon_ace **pp_list_head, bool dir_acl) * we've put on the ACL, we know the deny must be the first one. */ - if (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) && + if (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id && (curr_ace->owner_type == curr_ace_outer->owner_type) && (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) { |