summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2012-11-13 11:22:15 -0800
committerMichael Adam <obnox@samba.org>2012-11-15 19:52:51 +0100
commitcf1540b73714fac6b25de5942cbd821e5f4f6ffc (patch)
tree967d316f9b19d385ba47efa7326921c0e8ac53c3 /source3/smbd
parent4ed7803c803e94f5887775f1acb902063f7bcc86 (diff)
downloadsamba-cf1540b73714fac6b25de5942cbd821e5f4f6ffc.tar.gz
samba-cf1540b73714fac6b25de5942cbd821e5f4f6ffc.tar.bz2
samba-cf1540b73714fac6b25de5942cbd821e5f4f6ffc.zip
Another fix needed for bug #9236 - ACL masks incorrectly applied when setting ACLs.
Not caught by make test as it's an extreme edge case for strange incoming ACLs. I only found this as I'm making raw.acls and smb2.acls pass against 3.6.x and 4.0.0 with acl_xattr mapped onto a POSIX backend. An incoming inheritable ACE entry containing only one permission, WRITE_DATA maps into a POSIX owner perm of "-w-", which violates the principle that the owner of a file/directory can always read. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Nov 15 19:52:52 CET 2012 on sn-devel-104
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/posix_acls.c17
1 files changed, 10 insertions, 7 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index b8e0d4aba4..bca5304eff 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1431,10 +1431,11 @@ static bool ensure_canon_entry_valid_on_set(connection_struct *conn,
for (pace = *pp_ace; pace; pace = pace->next) {
if (pace->type == SMB_ACL_USER_OBJ) {
-
- if (!is_default_acl) {
- apply_default_perms(params, is_directory, pace, S_IRUSR);
- }
+ /*
+ * Ensure we have default parameters for the
+ * user (owner) even on default ACLs.
+ */
+ apply_default_perms(params, is_directory, pace, S_IRUSR);
pace_user = pace;
} else if (pace->type == SMB_ACL_GROUP_OBJ) {
@@ -1515,9 +1516,11 @@ static bool ensure_canon_entry_valid_on_set(connection_struct *conn,
pace->perms = pace_other->perms;
}
- if (!is_default_acl) {
- apply_default_perms(params, is_directory, pace, S_IRUSR);
- }
+ /*
+ * Ensure we have default parameters for the
+ * user (owner) even on default ACLs.
+ */
+ apply_default_perms(params, is_directory, pace, S_IRUSR);
DLIST_ADD(*pp_ace, pace);
pace_user = pace;