diff options
author | Jeremy Allison <jra@samba.org> | 2005-03-25 01:30:21 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:56:19 -0500 |
commit | 1ca7ec3472e9cb77888f2850930f087b5e5bf761 (patch) | |
tree | 9bbeb87416c8385b89fca072a2ae0a996cfaf787 /source3/smbd | |
parent | a5433c4bf7a256880725173b96af5405c3c2eb9c (diff) | |
download | samba-1ca7ec3472e9cb77888f2850930f087b5e5bf761.tar.gz samba-1ca7ec3472e9cb77888f2850930f087b5e5bf761.tar.bz2 samba-1ca7ec3472e9cb77888f2850930f087b5e5bf761.zip |
r6055: Fix algorithm. If any of the primary or supplementary group ids match
a "allow" entry of GROUP or GROUP_OBJ, then access is allowed. It doesn't
terminate on the first match. Added debug to show where the match occured
(or didn't).
Jeremy.
(This used to be commit 81fb3372867fa66a092841222e02bd1c104b2d19)
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/posix_acls.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 76b67169f2..33db14aec3 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3860,6 +3860,11 @@ match on user %u -> %s.\n", fname, (unsigned int)*puid, ret ? "can write" : "can goto check_stat; } + /* If we don't have write permission this entry never matches. */ + if (have_write == 0) { + continue; + } + switch(tagtype) { case SMB_ACL_GROUP: { @@ -3870,9 +3875,9 @@ match on user %u -> %s.\n", fname, (unsigned int)*puid, ret ? "can write" : "can for (i = 0; i < current_user.ngroups; i++) { if (current_user.groups[i] == *pgid) { /* We're done now we have a gid match. */ - ret = have_write; + ret = 1; DEBUG(10,("check_posix_acl_group_write: file %s \ -match on group %u -> %s.\n", fname, (unsigned int)*pgid, ret ? "can write" : "cannot write")); +match on group %u -> can write.\n", fname, (unsigned int)*pgid )); goto done; } } @@ -3886,13 +3891,24 @@ match on group %u -> %s.\n", fname, (unsigned int)*pgid, ret ? "can write" : "ca check_stat: + /* If we get here we know ret == 0. */ + SMB_ASSERT(ret == 0); + for (i = 0; i < current_user.ngroups; i++) { if (current_user.groups[i] == psbuf->st_gid) { ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0; + DEBUG(10,("check_posix_acl_group_write: file %s \ +match on owning group %u -> %s.\n", fname, (unsigned int)psbuf->st_gid, ret ? "can write" : "cannot write")); break; } } + if (i == current_user.ngroups) { + SMB_ASSERT(ret == 0); + DEBUG(10,("check_posix_acl_group_write: file %s \ +failed to match on user or group in token.\n", fname )); + } + done: SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl); |