summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2004-12-29 12:41:27 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:07:42 -0500
commit359cf872df35096aaf30a36612c62f42d7015378 (patch)
treef0a3033915e06932d836b6c3f7b32a3004abfecb /source4
parentf05bc12213477676967b5c1780c8cca61b262317 (diff)
downloadsamba-359cf872df35096aaf30a36612c62f42d7015378.tar.gz
samba-359cf872df35096aaf30a36612c62f42d7015378.tar.bz2
samba-359cf872df35096aaf30a36612c62f42d7015378.zip
r4391: bring the default ACL inline with what w2k3 uses
(This used to be commit 16967f7502ea6d2efa0fc08decc955a1516c3a02)
Diffstat (limited to 'source4')
-rw-r--r--source4/ntvfs/posix/pvfs_acl.c109
-rw-r--r--source4/ntvfs/posix/pvfs_fileinfo.c4
2 files changed, 39 insertions, 74 deletions
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 5302cc9524..970cddf6f7 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -69,10 +69,8 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs,
{
struct security_descriptor *sd;
NTSTATUS status;
- struct security_ace aces[4];
+ struct security_ace ace;
mode_t mode;
- struct dom_sid *sid;
- int i;
sd = security_descriptor_initialise(req);
if (sd == NULL) {
@@ -90,97 +88,64 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs,
sd->type |= SEC_DESC_DACL_PRESENT;
+ mode = name->st.st_mode;
+
/*
- we provide 4 ACEs
- - Administrator
+ we provide up to 4 ACEs
- Owner
- Group
- Everyone
+ - Administrator
*/
- aces[0].access_mask = SEC_RIGHTS_FILE_ALL;
- aces[1].access_mask = 0;
- aces[2].access_mask = 0;
- aces[3].access_mask = 0;
- mode = name->st.st_mode;
+
+ /* setup owner ACE */
+ ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
+ ace.flags = 0;
+ ace.trustee = *sd->owner_sid;
+ ace.access_mask = 0;
if (mode & S_IRUSR) {
- aces[1].access_mask |=
- SEC_FILE_READ_DATA |
- SEC_FILE_READ_EA |
- SEC_FILE_READ_ATTRIBUTE |
- SEC_FILE_EXECUTE |
- SEC_STD_SYNCHRONIZE |
- SEC_STD_READ_CONTROL;
+ ace.access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
}
if (mode & S_IWUSR) {
- aces[1].access_mask |=
- SEC_FILE_WRITE_DATA |
- SEC_FILE_APPEND_DATA |
- SEC_FILE_WRITE_EA |
- SEC_FILE_WRITE_ATTRIBUTE |
- SEC_STD_DELETE;
+ ace.access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
+ }
+ if (ace.access_mask) {
+ security_descriptor_dacl_add(sd, &ace);
}
+
+ /* setup group ACE */
+ ace.trustee = *sd->group_sid;
+ ace.access_mask = 0;
if (mode & S_IRGRP) {
- aces[2].access_mask |=
- SEC_FILE_READ_DATA |
- SEC_FILE_READ_EA |
- SEC_FILE_READ_ATTRIBUTE |
- SEC_FILE_EXECUTE |
- SEC_STD_SYNCHRONIZE |
- SEC_STD_READ_CONTROL;
+ ace.access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
}
if (mode & S_IWGRP) {
- aces[2].access_mask |=
- SEC_FILE_WRITE_DATA |
- SEC_FILE_APPEND_DATA |
- SEC_FILE_WRITE_EA |
- SEC_FILE_WRITE_ATTRIBUTE;
+ ace.access_mask |= SEC_RIGHTS_FILE_WRITE;
+ }
+ if (ace.access_mask) {
+ security_descriptor_dacl_add(sd, &ace);
}
+ /* setup other ACE */
+ ace.trustee = *dom_sid_parse_talloc(req, SID_WORLD);
+ ace.access_mask = 0;
if (mode & S_IROTH) {
- aces[3].access_mask |=
- SEC_FILE_READ_DATA |
- SEC_FILE_READ_EA |
- SEC_FILE_READ_ATTRIBUTE |
- SEC_FILE_EXECUTE |
- SEC_STD_SYNCHRONIZE |
- SEC_STD_READ_CONTROL;
+ ace.access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
}
if (mode & S_IWOTH) {
- aces[3].access_mask |=
- SEC_FILE_WRITE_DATA |
- SEC_FILE_APPEND_DATA |
- SEC_FILE_WRITE_EA |
- SEC_FILE_WRITE_ATTRIBUTE;
+ ace.access_mask |= SEC_RIGHTS_FILE_WRITE;
}
-
- sid = dom_sid_parse_talloc(sd, SID_BUILTIN_ADMINISTRATORS);
- if (sid == NULL) return NT_STATUS_NO_MEMORY;
-
- aces[0].type = SEC_ACE_TYPE_ACCESS_ALLOWED;
- aces[0].flags = 0;
- aces[0].trustee = *sid;
-
- aces[1].type = SEC_ACE_TYPE_ACCESS_ALLOWED;
- aces[1].flags = 0;
- aces[1].trustee = *sd->owner_sid;
-
- aces[2].type = SEC_ACE_TYPE_ACCESS_ALLOWED;
- aces[2].flags = 0;
- aces[2].trustee = *sd->group_sid;
-
- sid = dom_sid_parse_talloc(sd, SID_WORLD);
- if (sid == NULL) return NT_STATUS_NO_MEMORY;
-
- aces[3].type = SEC_ACE_TYPE_ACCESS_ALLOWED;
- aces[3].flags = 0;
- aces[3].trustee = *sid;
-
- for (i=0;i<4;i++) {
- security_descriptor_dacl_add(sd, &aces[i]);
+ if (ace.access_mask) {
+ security_descriptor_dacl_add(sd, &ace);
}
+
+ /* setup system ACE */
+ ace.trustee = *dom_sid_parse_talloc(req, SID_NT_SYSTEM);
+ ace.access_mask = SEC_RIGHTS_FILE_ALL;
+ security_descriptor_dacl_add(sd, &ace);
acl->version = 1;
acl->info.sd = sd;
diff --git a/source4/ntvfs/posix/pvfs_fileinfo.c b/source4/ntvfs/posix/pvfs_fileinfo.c
index 888d5f78c0..fc60aa6e89 100644
--- a/source4/ntvfs/posix/pvfs_fileinfo.c
+++ b/source4/ntvfs/posix/pvfs_fileinfo.c
@@ -99,10 +99,10 @@ NTSTATUS pvfs_fill_dos_info(struct pvfs_state *pvfs, struct pvfs_filename *name,
*/
mode_t pvfs_fileperms(struct pvfs_state *pvfs, uint32 attrib)
{
- mode_t mode = S_IRUSR | S_IRGRP | S_IROTH;
+ mode_t mode = S_IRUSR;
if (attrib & FILE_ATTRIBUTE_DIRECTORY) {
- mode |= S_IXUSR | S_IXGRP | S_IXOTH;
+ mode |= S_IXUSR;
}
if (!(attrib & FILE_ATTRIBUTE_READONLY) ||