diff options
| -rw-r--r-- | source3/smbd/posix_acls.c | 49 | ||||
| -rw-r--r-- | source3/smbd/uid.c | 23 |
2 files changed, 40 insertions, 32 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 04429d0456..0abdfdccd9 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3753,6 +3753,7 @@ static int check_posix_acl_group_write(connection_struct *conn, const char *fnam int i; BOOL seen_mask = False; int ret = -1; + gid_t cu_gid; if ((posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS)) == NULL) { goto check_stat; @@ -3866,27 +3867,16 @@ match on user %u -> %s.\n", fname, (unsigned int)*puid, ret ? "can write" : "can goto check_stat; } - /* Does it match the current effective group ? */ - if (current_user.gid == *pgid) { - ret = have_write; - DEBUG(10,("check_posix_acl_group_write: file %s \ -match on group %u -> can write.\n", fname, (unsigned int)*pgid )); - - /* If we don't have write permission this entry doesn't - * prevent the subsequent enumeration of the supplementary - * groups. - */ - if (have_write) { - goto done; - } - } - - /* Continue with the supplementary groups. */ - for (i = 0; i < current_user.ngroups; i++) { - if (current_user.groups[i] == *pgid) { + /* + * Does it match the current effective group + * or supplementary groups ? + */ + for (cu_gid = get_current_user_gid_first(&i); cu_gid != (gid_t)-1; + cu_gid = get_current_user_gid_next(&i)) { + if (cu_gid == *pgid) { ret = have_write; DEBUG(10,("check_posix_acl_group_write: file %s \ -match on group %u -> can write.\n", fname, (unsigned int)*pgid )); +match on group %u -> can write.\n", fname, (unsigned int)cu_gid )); /* If we don't have write permission this entry doesn't terminate the enumeration of the entries. */ @@ -3912,18 +3902,13 @@ match on group %u -> can write.\n", fname, (unsigned int)*pgid )); check_stat: /* Do we match on the owning group entry ? */ - - /* First, does it match the current effective group ? */ - if (current_user.gid == psbuf->st_gid) { - ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0; - DEBUG(10,("check_posix_acl_group_write: file %s \ -match on owning group %u -> %s.\n", fname, (unsigned int)psbuf->st_gid, ret ? "can write" : "cannot write")); - goto done; - } - - /* If not look at the supplementary groups. */ - for (i = 0; i < current_user.ngroups; i++) { - if (current_user.groups[i] == psbuf->st_gid) { + /* + * Does it match the current effective group + * or supplementary groups ? + */ + for (cu_gid = get_current_user_gid_first(&i); cu_gid != (gid_t)-1; + cu_gid = get_current_user_gid_next(&i)) { + if (cu_gid == psbuf->st_gid) { ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0; DEBUG(10,("check_posix_acl_group_write: file %s \ match on owning group %u -> %s.\n", fname, (unsigned int)psbuf->st_gid, ret ? "can write" : "cannot write")); @@ -3931,7 +3916,7 @@ match on owning group %u -> %s.\n", fname, (unsigned int)psbuf->st_gid, ret ? "c } } - if (i == current_user.ngroups) { + if (cu_gid == (gid_t)-1) { DEBUG(10,("check_posix_acl_group_write: file %s \ failed to match on user or group in token (ret = %d).\n", fname, ret )); } diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 77dc19b87b..d1ecaf6625 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -24,6 +24,29 @@ extern struct current_user current_user; /**************************************************************************** + Iterator functions for getting all gid's from current_user. +****************************************************************************/ + +gid_t get_current_user_gid_first(int *piterator) +{ + *piterator = 0; + return current_user.gid; +} + +gid_t get_current_user_gid_next(int *piterator) +{ + gid_t ret; + + if (!current_user.groups || *piterator >= current_user.ngroups) { + return (gid_t)-1; + } + + ret = current_user.groups[*piterator]; + (*piterator) += 1; + return ret; +} + +/**************************************************************************** Become the guest user without changing the security context stack. ****************************************************************************/ |