diff options
-rw-r--r-- | source3/modules/vfs_acl_common.c | 42 |
1 files changed, 38 insertions, 4 deletions
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index 39fd2ad0ed..a12f105761 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -279,7 +279,8 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle, *********************************************************************/ static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx, - SMB_STRUCT_STAT *psbuf) + SMB_STRUCT_STAT *psbuf, + bool force_inherit) { struct dom_sid owner_sid, group_sid; size_t sd_size; @@ -294,10 +295,22 @@ static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx, return NULL; } + /* If force_inherit is set, this means we are initializing the ACEs for + * a container and we want the ACEs for owner_sid and "SYSTEM" to be + * inheritable by their children (See Bug #6802). + */ + init_sec_ace(&pace[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, - SEC_RIGHTS_FILE_ALL, 0); + SEC_RIGHTS_FILE_ALL, (force_inherit ? + (SEC_ACE_FLAG_OBJECT_INHERIT| + SEC_ACE_FLAG_CONTAINER_INHERIT) : + 0)); + init_sec_ace(&pace[1], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED, - SEC_RIGHTS_FILE_ALL, 0); + SEC_RIGHTS_FILE_ALL, (force_inherit ? + (SEC_ACE_FLAG_OBJECT_INHERIT| + SEC_ACE_FLAG_CONTAINER_INHERIT) : + 0)); pacl = make_sec_acl(mem_ctx, NT4_ACL_REVISION, @@ -332,6 +345,7 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, DATA_BLOB blob; size_t size; char *parent_name; + bool force_inherit = false; uint8_t hash[XATTR_SD_HASH_SIZE]; if (!parent_dirname(ctx, smb_fname->base_name, &parent_name, NULL)) { @@ -400,7 +414,27 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, return status; } - psd = default_file_sd(ctx, &smb_fname->st); + /* If we get here, we could have the following possibilities: + * 1. No ACLs exist on the parent container. + * 2. ACLs exist on the parent container but they were + * not inheritable. + * + * Check to see if case #1 occurred. + * + */ + if (container && + (parent_desc == NULL || parent_desc->dacl == NULL)) { + + /* If no parent descriptor exists, then there were + * no ACLs on the parent and then we must create + * the ACLs on this newly created folder so that they + * will be inherited by their children (See Bug #6802). + */ + + force_inherit = true; + } + + psd = default_file_sd(ctx, &smb_fname->st, force_inherit); if (!psd) { return NT_STATUS_NO_MEMORY; } |