diff options
author | Jeremy Allison <jra@samba.org> | 2011-11-22 11:53:51 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2011-11-22 11:53:51 -0800 |
commit | 6795432f272e725198dcd3514910c823d96d0a55 (patch) | |
tree | c97195021cd6d9ca24721f68e372c60f0e6e3382 /source3 | |
parent | 7b275c551ba3caee9e020740a672f8dd447769ff (diff) | |
download | samba-6795432f272e725198dcd3514910c823d96d0a55.tar.gz samba-6795432f272e725198dcd3514910c823d96d0a55.tar.bz2 samba-6795432f272e725198dcd3514910c823d96d0a55.zip |
Move the "set SD" code into provided SD and "inherit acls" branches.
Diffstat (limited to 'source3')
-rw-r--r-- | source3/smbd/open.c | 61 |
1 files changed, 32 insertions, 29 deletions
diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 936c27e64d..95b980f99a 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -3457,42 +3457,45 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, } } - /* - * According to the MS documentation, the only time the security - * descriptor is applied to the opened file is iff we *created* the - * file; an existing file stays the same. - * - * Also, it seems (from observation) that you can open the file with - * any access mask but you can still write the sd. We need to override - * the granted access before we call set_sd - * Patch for bug #2242 from Tom Lackemann <cessnatomny@yahoo.com>. - */ - - if ((sd != NULL) && (info == FILE_WAS_CREATED) - && lp_nt_acl_support(SNUM(conn)) && fsp->base_fsp == NULL) { + if ((info == FILE_WAS_CREATED) && lp_nt_acl_support(SNUM(conn)) && + fsp->base_fsp == NULL) { + if (sd != NULL) { + /* + * According to the MS documentation, the only time the security + * descriptor is applied to the opened file is iff we *created* the + * file; an existing file stays the same. + * + * Also, it seems (from observation) that you can open the file with + * any access mask but you can still write the sd. We need to override + * the granted access before we call set_sd + * Patch for bug #2242 from Tom Lackemann <cessnatomny@yahoo.com>. + */ - uint32_t sec_info_sent; - uint32_t saved_access_mask = fsp->access_mask; + uint32_t sec_info_sent; + uint32_t saved_access_mask = fsp->access_mask; - sec_info_sent = get_sec_info(sd); + sec_info_sent = get_sec_info(sd); - fsp->access_mask = FILE_GENERIC_ALL; + fsp->access_mask = FILE_GENERIC_ALL; - /* Convert all the generic bits. */ - security_acl_map_generic(sd->dacl, &file_generic_mapping); - security_acl_map_generic(sd->sacl, &file_generic_mapping); + /* Convert all the generic bits. */ + security_acl_map_generic(sd->dacl, &file_generic_mapping); + security_acl_map_generic(sd->sacl, &file_generic_mapping); - if (sec_info_sent & (SECINFO_OWNER| - SECINFO_GROUP| - SECINFO_DACL| - SECINFO_SACL)) { - status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd); - } + if (sec_info_sent & (SECINFO_OWNER| + SECINFO_GROUP| + SECINFO_DACL| + SECINFO_SACL)) { + status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd); + } - fsp->access_mask = saved_access_mask; + fsp->access_mask = saved_access_mask; - if (!NT_STATUS_IS_OK(status)) { - goto fail; + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + } else if (lp_inherit_acls(SNUM(conn))) { + /* Inherit from parent. */ } } |