diff options
author | Jeremy Allison <jra@samba.org> | 2000-02-29 18:46:45 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2000-02-29 18:46:45 +0000 |
commit | f429162313c199b2b1466f25830c3241aa81f2b4 (patch) | |
tree | ca5c2ac805656ff99bd1730607a5003f59ff680d /source3 | |
parent | 1f6f8c2241f2f25b6c3002fb91fe711cb352a07f (diff) | |
download | samba-f429162313c199b2b1466f25830c3241aa81f2b4.tar.gz samba-f429162313c199b2b1466f25830c3241aa81f2b4.tar.bz2 samba-f429162313c199b2b1466f25830c3241aa81f2b4.zip |
Fixes for strange Win2K attempts to auto-inherit ACLs.
Jeremy.
(This used to be commit 41e37c51816ec048952ada1513c62f2689589001)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/rpc_secdes.h | 11 | ||||
-rw-r--r-- | source3/smbd/nttrans.c | 35 |
2 files changed, 38 insertions, 8 deletions
diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index f497c25db6..791441173c 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -48,6 +48,7 @@ #define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2 #define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 #define SEC_ACE_FLAG_INHERIT_ONLY 0x8 +#define SEC_ACE_FLAG_INHERITED_ACE 0x10 /* New for Windows 2000 */ #define SEC_ACE_FLAG_VALID_INHERIT 0xf #define SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0x40 #define SEC_ACE_FLAG_FAILED_ACCESS 0x80 @@ -58,6 +59,16 @@ #define SEC_DESC_DACL_DEFAULTED 0x0008 #define SEC_DESC_SACL_PRESENT 0x0010 #define SEC_DESC_SACL_DEFAULTED 0x0020 +/* + * New Windows 2000 bits. + */ +#define SE_DESC_DACL_AUTO_INHERIT_REQ 0x0100 +#define SE_DESC_SACL_AUTO_INHERIT_REQ 0x0200 +#define SE_DESC_DACL_AUTO_INHERITED 0x0400 +#define SE_DESC_SACL_AUTO_INHERITED 0x0800 +#define SE_DESC_DACL_PROTECTED 0x1000 +#define SE_DESC_SACL_PROTECTED 0x2000 + #define SEC_DESC_SELF_RELATIVE 0x8000 /* security information */ diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index e94e603661..b65deefaef 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2062,6 +2062,7 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint uint32 owner_rid; uint32 grp_rid; SEC_ACL *dacl = psd->dacl; + BOOL all_aces_are_inherit_only = (is_directory ? True : False); int i; *pmode = 0; @@ -2069,7 +2070,7 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint *pgrp = (gid_t)-1; if(security_info_sent == 0) { - DEBUG(0,("unpack_unix_permissions: no security info sent !\n")); + DEBUG(0,("unpack_nt_permissions: no security info sent !\n")); return False; } @@ -2080,7 +2081,7 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint memset(&owner_sid, '\0', sizeof(owner_sid)); memset(&grp_sid, '\0', sizeof(grp_sid)); - DEBUG(5,("unpack_unix_permissions: validating owner_sid.\n")); + DEBUG(5,("unpack_nt_permissions: validating owner_sid.\n")); /* * Don't immediately fail if the owner sid cannot be validated. @@ -2088,7 +2089,7 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint */ if(!validate_unix_sid( &owner_sid, &owner_rid, psd->owner_sid)) - DEBUG(3,("unpack_unix_permissions: unable to validate owner sid.\n")); + DEBUG(3,("unpack_nt_permissions: unable to validate owner sid.\n")); else if(security_info_sent & OWNER_SECURITY_INFORMATION) *puser = pdb_user_rid_to_uid(owner_rid); @@ -2098,7 +2099,7 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint */ if(!validate_unix_sid( &grp_sid, &grp_rid, psd->grp_sid)) - DEBUG(3,("unpack_unix_permissions: unable to validate group sid.\n")); + DEBUG(3,("unpack_nt_permissions: unable to validate group sid.\n")); else if(security_info_sent & GROUP_SECURITY_INFORMATION) *pgrp = pdb_user_rid_to_gid(grp_rid); @@ -2122,7 +2123,7 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) { - DEBUG(3,("unpack_unix_permissions: unable to set anything but an ALLOW or DENY ACE.\n")); + DEBUG(3,("unpack_nt_permissions: unable to set anything but an ALLOW or DENY ACE.\n")); return False; } @@ -2132,15 +2133,22 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint if(is_directory) { if(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY) { - DEBUG(3,("unpack_unix_permissions: ignoring inherit only ACE.\n")); + DEBUG(3,("unpack_nt_permissions: ignoring inherit only ACE.\n")); continue; } + /* + * At least one of the ACE entries wasn't inherit only. + * Flag this so we know the returned mode is valid. + */ + + all_aces_are_inherit_only = False; + psa->flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT); } if(psa->flags != 0) { - DEBUG(1,("unpack_unix_permissions: unable to set ACE flags (%x).\n", + DEBUG(1,("unpack_nt_permissions: unable to set ACE flags (%x).\n", (unsigned int)psa->flags)); return False; } @@ -2191,11 +2199,22 @@ static BOOL unpack_nt_permissions(uid_t *puser, gid_t *pgrp, mode_t *pmode, uint *pmode &= ~(map_nt_perms( psa->info, S_IROTH)); } else { - DEBUG(0,("unpack_unix_permissions: unknown SID used in ACL.\n")); + DEBUG(0,("unpack_nt_permissions: unknown SID used in ACL.\n")); return False; } } + if (is_directory && all_aces_are_inherit_only) { + /* + * Windows 2000 is doing one of these weird 'inherit acl' + * traverses to conserve NTFS ACL resources. Just pretend + * there was no DACL sent. JRA. + */ + + DEBUG(10,("unpack_nt_permissions: Win2k inherit acl traverse. Ignoring DACL.\n")); + free_sec_acl(&psd->dacl); + } + return True; } |