summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-11-12 17:11:34 +1100
committerAndrew Bartlett <abartlet@samba.org>2012-11-13 22:48:19 +0100
commitd6c7e9b1ed6f7befbb2239350bba4547ef781e58 (patch)
treeff40ee12b658dbae88128852588f82b74d6f958d /source3
parent236977bf4642c035bb22cfcd1cee481c5f6c6da1 (diff)
downloadsamba-d6c7e9b1ed6f7befbb2239350bba4547ef781e58.tar.gz
samba-d6c7e9b1ed6f7befbb2239350bba4547ef781e58.tar.bz2
samba-d6c7e9b1ed6f7befbb2239350bba4547ef781e58.zip
smbd: Remove NT4 compatability handling in posix -> NT ACL conversion
NT4 is long dead, and we should not change which ACL we return based on what we think the client is. The reason we should not do this, is that if we are using vfs_acl_xattr then the hash will break if we do. Additionally, it would require that the python VFS interface set the global remote_arch to fake up being a modern client. This instead seems cleaner and removes untested code (the tests are updated to then handle the results of the modern codepath). The supporting 'acl compatability' parameter is also removed. Andrew Bartlett Reviewed by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3')
-rw-r--r--source3/include/proto.h1
-rw-r--r--source3/smbd/posix_acls.c108
-rw-r--r--source3/smbd/proto.h1
3 files changed, 1 insertions, 109 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 7c5a5a7346..5f3d937ee0 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1068,7 +1068,6 @@ char *lp_wins_hook(TALLOC_CTX *ctx);
const char *lp_template_homedir(void);
const char *lp_template_shell(void);
const char *lp_winbind_separator(void);
-int lp_acl_compatibility(void);
bool lp_winbind_enum_users(void);
bool lp_winbind_enum_groups(void);
bool lp_winbind_use_default_domain(void);
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 74ea257d36..b8e0d4aba4 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1059,24 +1059,6 @@ static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
}
/****************************************************************************
- Check if we need to return NT4.x compatible ACL entries.
-****************************************************************************/
-
-bool nt4_compatible_acls(void)
-{
- int compat = lp_acl_compatibility();
-
- if (compat == ACL_COMPAT_AUTO) {
- enum remote_arch_types ra_type = get_remote_arch();
-
- /* Automatically adapt to client */
- return (ra_type <= RA_WINNT);
- } else
- return (compat == ACL_COMPAT_WINNT);
-}
-
-
-/****************************************************************************
Map canon_ace perms to permission bits NT.
The attr element is not used here - we only process deny entries on set,
not get. Deny entries are implicit on get with ace->perms = 0.
@@ -1107,10 +1089,7 @@ uint32_t map_canon_ace_perms(int snum,
* to be changed in the future.
*/
- if (nt4_compatible_acls())
- nt_mask = UNIX_ACCESS_NONE;
- else
- nt_mask = 0;
+ nt_mask = 0;
} else {
if (directory_ace) {
nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
@@ -1954,26 +1933,6 @@ static bool create_canon_ace_lists(files_struct *fsp,
DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
return False;
}
-
- if (nt4_compatible_acls()) {
- /*
- * The security mask may be UNIX_ACCESS_NONE which should map into
- * no permissions (we overload the WRITE_OWNER bit for this) or it
- * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
- * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
- */
-
- /*
- * Convert GENERIC bits to specific bits.
- */
-
- se_map_generic(&psa->access_mask, &file_generic_mapping);
-
- psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
-
- if(psa->access_mask != UNIX_ACCESS_NONE)
- psa->access_mask &= ~UNIX_ACCESS_NONE;
- }
}
/*
@@ -3164,22 +3123,6 @@ static bool set_canon_ace_list(files_struct *fsp,
}
/****************************************************************************
- Find a particular canon_ace entry.
-****************************************************************************/
-
-static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, struct unixid *id)
-{
- while (list) {
- if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
- (type == SMB_ACL_USER && id && id->id == list->unix_ug.id) ||
- (type == SMB_ACL_GROUP && id && id->id == list->unix_ug.id)))
- break;
- list = list->next;
- }
- return list;
-}
-
-/****************************************************************************
****************************************************************************/
@@ -3461,55 +3404,6 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
canon_ace *ace;
enum security_ace_type nt_acl_type;
- if (nt4_compatible_acls() && dir_ace) {
- /*
- * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
- * but no non-INHERIT_ONLY entry for one SID. So we only
- * remove entries from the Access ACL if the
- * corresponding Default ACL entries have also been
- * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
- * are exceptions. We can do nothing
- * intelligent if the Default ACL contains entries that
- * are not also contained in the Access ACL, so this
- * case will still fail under NT 4.
- */
-
- ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
- if (ace && !ace->perms) {
- DLIST_REMOVE(dir_ace, ace);
- TALLOC_FREE(ace);
-
- ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
- if (ace && !ace->perms) {
- DLIST_REMOVE(file_ace, ace);
- TALLOC_FREE(ace);
- }
- }
-
- /*
- * WinNT doesn't usually have Creator Group
- * in browse lists, so we send this entry to
- * WinNT even if it contains no relevant
- * permissions. Once we can add
- * Creator Group to browse lists we can
- * re-enable this.
- */
-
-#if 0
- ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
- if (ace && !ace->perms) {
- DLIST_REMOVE(dir_ace, ace);
- TALLOC_FREE(ace);
- }
-#endif
-
- ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
- if (ace && !ace->perms) {
- DLIST_REMOVE(file_ace, ace);
- TALLOC_FREE(ace);
- }
- }
-
num_acls = count_canon_ace_list(file_ace);
num_def_acls = count_canon_ace_list(dir_ace);
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index aae4bd02db..f95fddd0c6 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -703,7 +703,6 @@ void reply_pipe_read_and_X(struct smb_request *req);
/* The following definitions come from smbd/posix_acls.c */
void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid *powner_sid, struct dom_sid *pgroup_sid);
-bool nt4_compatible_acls(void);
uint32_t map_canon_ace_perms(int snum,
enum security_ace_type *pacl_type,
mode_t perms,