diff options
| author | Jeremy Allison <jra@samba.org> | 2005-04-17 07:57:45 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:56:38 -0500 |
| commit | b39c949ae05ee990bd8daa588e92c768185761b5 (patch) | |
| tree | d73bee42891748ea6da9c70661356b8f49af7b05 /source3 | |
| parent | b49c586de46396018bf26828d78e591e67de3c0f (diff) | |
| download | samba-b39c949ae05ee990bd8daa588e92c768185761b5.tar.gz samba-b39c949ae05ee990bd8daa588e92c768185761b5.tar.bz2 samba-b39c949ae05ee990bd8daa588e92c768185761b5.zip | |
r6365: Wow, how much worse does this get. From info provided by
Eric Stewart <eric@lib.usf.edu> I realised we weren't checking
against the current effective groupid (set by force group) as
well as the group list. Fix this.
Jeremy.
(This used to be commit 0c4058c0732b1faa87ca64b8f95ad2fe3106a69f)
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/smbd/posix_acls.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 738f9d76f3..353f9a3b03 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3852,6 +3852,23 @@ match on user %u -> %s.\n", fname, (unsigned int)*puid, ret ? "can write" : "can if (pgid == NULL) { goto check_stat; } + + /* Does it match the current effective group ? */ + if (current_user.gid == *pgid) { + ret = have_write; + DEBUG(10,("check_posix_acl_group_write: file %s \ +match on group %u -> can write.\n", fname, (unsigned int)*pgid )); + + /* If we don't have write permission this entry doesn't + * prevent the subsequent enumeration of the supplementary + * groups. + */ + if (have_write) { + goto done; + } + } + + /* Continue with the supplementary groups. */ for (i = 0; i < current_user.ngroups; i++) { if (current_user.groups[i] == *pgid) { ret = have_write; @@ -3883,6 +3900,15 @@ match on group %u -> can write.\n", fname, (unsigned int)*pgid )); /* Do we match on the owning group entry ? */ + /* First, does it match the current effective group ? */ + if (current_user.gid == psbuf->st_gid) { + ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0; + DEBUG(10,("check_posix_acl_group_write: file %s \ +match on owning group %u -> %s.\n", fname, (unsigned int)psbuf->st_gid, ret ? "can write" : "cannot write")); + goto done; + } + + /* If not look at the supplementary groups. */ for (i = 0; i < current_user.ngroups; i++) { if (current_user.groups[i] == psbuf->st_gid) { ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0; |