summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2000-02-29 18:46:45 +0000
committerJeremy Allison <jra@samba.org>2000-02-29 18:46:45 +0000
commitf429162313c199b2b1466f25830c3241aa81f2b4 (patch)
treeca5c2ac805656ff99bd1730607a5003f59ff680d /source3
parent1f6f8c2241f2f25b6c3002fb91fe711cb352a07f (diff)
downloadsamba-f429162313c199b2b1466f25830c3241aa81f2b4.tar.gz
samba-f429162313c199b2b1466f25830c3241aa81f2b4.tar.bz2
samba-f429162313c199b2b1466f25830c3241aa81f2b4.zip
Fixes for strange Win2K attempts to auto-inherit ACLs.
Jeremy. (This used to be commit 41e37c51816ec048952ada1513c62f2689589001)
Diffstat (limited to 'source3')
-rw-r--r--source3/include/rpc_secdes.h11
-rw-r--r--source3/smbd/nttrans.c35
2 files changed, 38 insertions, 8 deletions
diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h
index f497c25db6..791441173c 100644
--- a/source3/include/rpc_secdes.h
+++ b/source3/include/rpc_secdes.h
@@ -48,6 +48,7 @@
#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
#define SEC_ACE_FLAG_INHERIT_ONLY 0x8
+#define SEC_ACE_FLAG_INHERITED_ACE 0x10 /* New for Windows 2000 */
#define SEC_ACE_FLAG_VALID_INHERIT 0xf
#define SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0x40
#define SEC_ACE_FLAG_FAILED_ACCESS 0x80
@@ -58,6 +59,16 @@
#define SEC_DESC_DACL_DEFAULTED 0x0008
#define SEC_DESC_SACL_PRESENT 0x0010
#define SEC_DESC_SACL_DEFAULTED 0x0020
+/*
+ * New Windows 2000 bits.
+ */
+#define SE_DESC_DACL_AUTO_INHERIT_REQ 0x0100
+#define SE_DESC_SACL_AUTO_INHERIT_REQ 0x0200
+#define SE_DESC_DACL_AUTO_INHERITED 0x0400
+#define SE_DESC_SACL_AUTO_INHERITED 0x0800
+#define SE_DESC_DACL_PROTECTED 0x1000
+#define SE_DESC_SACL_PROTECTED 0x2000
+
#define SEC_DESC_SELF_RELATIVE 0x8000
/* security information */
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index e94e603661..b65deefaef 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2062,6 +2062,7 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint
uint32 owner_rid;
uint32 grp_rid;
SEC_ACL *dacl = psd->dacl;
+ BOOL all_aces_are_inherit_only = (is_directory ? True : False);
int i;
*pmode = 0;
@@ -2069,7 +2070,7 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint
*pgrp = (gid_t)-1;
if(security_info_sent == 0) {
- DEBUG(0,("unpack_unix_permissions: no security info sent !\n"));
+ DEBUG(0,("unpack_nt_permissions: no security info sent !\n"));
return False;
}
@@ -2080,7 +2081,7 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint
memset(&owner_sid, '\0', sizeof(owner_sid));
memset(&grp_sid, '\0', sizeof(grp_sid));
- DEBUG(5,("unpack_unix_permissions: validating owner_sid.\n"));
+ DEBUG(5,("unpack_nt_permissions: validating owner_sid.\n"));
/*
* Don't immediately fail if the owner sid cannot be validated.
@@ -2088,7 +2089,7 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint
*/
if(!validate_unix_sid( &owner_sid, &owner_rid, psd->owner_sid))
- DEBUG(3,("unpack_unix_permissions: unable to validate owner sid.\n"));
+ DEBUG(3,("unpack_nt_permissions: unable to validate owner sid.\n"));
else if(security_info_sent & OWNER_SECURITY_INFORMATION)
*puser = pdb_user_rid_to_uid(owner_rid);
@@ -2098,7 +2099,7 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint
*/
if(!validate_unix_sid( &grp_sid, &grp_rid, psd->grp_sid))
- DEBUG(3,("unpack_unix_permissions: unable to validate group sid.\n"));
+ DEBUG(3,("unpack_nt_permissions: unable to validate group sid.\n"));
else if(security_info_sent & GROUP_SECURITY_INFORMATION)
*pgrp = pdb_user_rid_to_gid(grp_rid);
@@ -2122,7 +2123,7 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint
if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) &&
(psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
- DEBUG(3,("unpack_unix_permissions: unable to set anything but an ALLOW or DENY ACE.\n"));
+ DEBUG(3,("unpack_nt_permissions: unable to set anything but an ALLOW or DENY ACE.\n"));
return False;
}
@@ -2132,15 +2133,22 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint
if(is_directory) {
if(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
- DEBUG(3,("unpack_unix_permissions: ignoring inherit only ACE.\n"));
+ DEBUG(3,("unpack_nt_permissions: ignoring inherit only ACE.\n"));
continue;
}
+ /*
+ * At least one of the ACE entries wasn't inherit only.
+ * Flag this so we know the returned mode is valid.
+ */
+
+ all_aces_are_inherit_only = False;
+
psa->flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT);
}
if(psa->flags != 0) {
- DEBUG(1,("unpack_unix_permissions: unable to set ACE flags (%x).\n",
+ DEBUG(1,("unpack_nt_permissions: unable to set ACE flags (%x).\n",
(unsigned int)psa->flags));
return False;
}
@@ -2191,11 +2199,22 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint
*pmode &= ~(map_nt_perms( psa->info, S_IROTH));
} else {
- DEBUG(0,("unpack_unix_permissions: unknown SID used in ACL.\n"));
+ DEBUG(0,("unpack_nt_permissions: unknown SID used in ACL.\n"));
return False;
}
}
+ if (is_directory && all_aces_are_inherit_only) {
+ /*
+ * Windows 2000 is doing one of these weird 'inherit acl'
+ * traverses to conserve NTFS ACL resources. Just pretend
+ * there was no DACL sent. JRA.
+ */
+
+ DEBUG(10,("unpack_nt_permissions: Win2k inherit acl traverse. Ignoring DACL.\n"));
+ free_sec_acl(&psd->dacl);
+ }
+
return True;
}