summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-08-07 12:11:50 +1000
committerJeremy Allison <jra@samba.org>2012-08-10 14:38:47 -0700
commitc991ac0ebf13bf7832b33dffca388f6f14755fbb (patch)
tree9c9f7fbf6f0bddac618bc906cc44f5f124ab01db /source3
parentd3188a0480e067ecd8c7ac65ebd9dfc5f2132b41 (diff)
downloadsamba-c991ac0ebf13bf7832b33dffca388f6f14755fbb.tar.gz
samba-c991ac0ebf13bf7832b33dffca388f6f14755fbb.tar.bz2
samba-c991ac0ebf13bf7832b33dffca388f6f14755fbb.zip
s3-smbd: Merge ACE entries based on mapped UID/GID not SID
As the test for a valid posix ACL is based on the unix uid/gid only appearing once in the ACL the merge process also needs to be UID/GID based. This is a problem when we have multiple builtin groups mapped to the same POSIX group as happens in a Samba4 provision. Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3')
-rw-r--r--source3/smbd/posix_acls.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index f07f72ebb7..3485974320 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -919,7 +919,7 @@ void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid *powner_sid,
}
/****************************************************************************
- Merge aces with a common sid - if both are allow or deny, OR the permissions together and
+ Merge aces with a common UID or GID - if both are allow or deny, OR the permissions together and
delete the second one. If the first is deny, mask the permissions off and delete the allow
if the permissions become zero, delete the deny if the permissions are non zero.
****************************************************************************/
@@ -955,11 +955,11 @@ static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
*/
if (!dir_acl) {
- can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
+ can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
curr_ace->owner_type == curr_ace_outer->owner_type &&
(curr_ace->attr == curr_ace_outer->attr));
} else {
- can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
+ can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
curr_ace->owner_type == curr_ace_outer->owner_type &&
(curr_ace->type == curr_ace_outer->type) &&
(curr_ace->attr == curr_ace_outer->attr));
@@ -1009,7 +1009,7 @@ static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
* we've put on the ACL, we know the deny must be the first one.
*/
- if (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
+ if (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
(curr_ace->owner_type == curr_ace_outer->owner_type) &&
(curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {