summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/posix_acls.c121
1 files changed, 14 insertions, 107 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 8da12b9b68..d775a82d2d 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -605,14 +605,6 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
BOOL got_other = False;
canon_ace *pace_other = NULL;
canon_ace *pace_group = NULL;
- connection_struct *conn = fsp->conn;
- SMB_ACL_T current_posix_acl = NULL;
- mode_t current_user_perms = 0;
- mode_t current_grp_perms = 0;
- mode_t current_other_perms = 0;
- BOOL got_current_user = False;
- BOOL got_current_grp = False;
- BOOL got_current_other = False;
for (pace = *pp_ace; pace; pace = pace->next) {
if (pace->type == SMB_ACL_USER_OBJ) {
@@ -645,62 +637,6 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
}
}
- /*
- * When setting ACLs and missing one out of SMB_ACL_USER_OBJ,
- * SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER, try to retrieve current
- * values. For user and other a simple SMB_VFS_STAT would do, but
- * we would get mask instead of group. Let's do it via ACL.
- */
-
- if (setting_acl && (!got_user || !got_grp || !got_other)) {
-
- SMB_ACL_ENTRY_T entry;
- int entry_id = SMB_ACL_FIRST_ENTRY;
-
- if(fsp->is_directory || fsp->fd == -1) {
- current_posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fsp->fsp_name, SMB_ACL_TYPE_ACCESS);
- } else {
- current_posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp, fsp->fd);
- }
-
- if (current_posix_acl) {
- while (SMB_VFS_SYS_ACL_GET_ENTRY(conn, current_posix_acl, entry_id, &entry) == 1) {
- SMB_ACL_TAG_T tagtype;
- SMB_ACL_PERMSET_T permset;
-
- /* get_next... */
- if (entry_id == SMB_ACL_FIRST_ENTRY)
- entry_id = SMB_ACL_NEXT_ENTRY;
-
- /* Is this a MASK entry ? */
- if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
- continue;
-
- if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
- continue;
-
- switch(tagtype) {
- case SMB_ACL_USER_OBJ:
- current_user_perms = convert_permset_to_mode_t(conn, permset);
- got_current_user = True;
- break;
- case SMB_ACL_GROUP_OBJ:
- current_grp_perms = convert_permset_to_mode_t(conn, permset);
- got_current_grp = True;
- break;
- case SMB_ACL_OTHER:
- current_other_perms = convert_permset_to_mode_t(conn, permset);
- got_current_other = True;
- break;
- }
- }
- SMB_VFS_SYS_ACL_FREE_ACL(conn, current_posix_acl);
- } else {
- DEBUG(10,("ensure_canon_entry_valid: failed to retrieve current ACL of %s\n",
- fsp->fsp_name));
- }
- }
-
if (!got_user) {
if ((pace = (canon_ace *)malloc(sizeof(canon_ace))) == NULL) {
DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
@@ -715,18 +651,13 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
pace->attr = ALLOW_ACE;
if (setting_acl) {
- if (got_current_user) {
- pace->perms = current_user_perms;
- } else {
- /* If we only got an "everyone" perm, just use that. */
- if (!got_grp && got_other)
- pace->perms = pace_other->perms;
- else if (got_grp && uid_entry_in_group(pace, pace_group))
- pace->perms = pace_group->perms;
- else
- pace->perms = 0;
-
- }
+ /* If we only got an "everyone" perm, just use that. */
+ if (!got_grp && got_other)
+ pace->perms = pace_other->perms;
+ else if (got_grp && uid_entry_in_group(pace, pace_group))
+ pace->perms = pace_group->perms;
+ else
+ pace->perms = 0;
apply_default_perms(fsp, pace, S_IRUSR);
} else {
@@ -749,15 +680,11 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
pace->trustee = *pfile_grp_sid;
pace->attr = ALLOW_ACE;
if (setting_acl) {
- if (got_current_grp) {
- pace->perms = current_grp_perms;
- } else {
- /* If we only got an "everyone" perm, just use that. */
- if (got_other)
- pace->perms = pace_other->perms;
- else
- pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP);
- }
+ /* If we only got an "everyone" perm, just use that. */
+ if (got_other)
+ pace->perms = pace_other->perms;
+ else
+ pace->perms = 0;
apply_default_perms(fsp, pace, S_IRGRP);
} else {
pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP);
@@ -779,10 +706,7 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
pace->trustee = global_sid_World;
pace->attr = ALLOW_ACE;
if (setting_acl) {
- if (got_current_other)
- pace->perms = current_other_perms;
- else
- pace->perms = 0;
+ pace->perms = 0;
apply_default_perms(fsp, pace, S_IROTH);
} else
pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IROTH, S_IWOTH, S_IXOTH);
@@ -2351,7 +2275,7 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
int nt_acl_type;
int i;
- if (nt4_compatible_acls()) {
+ if (nt4_compatible_acls() && dir_ace) {
/*
* NT 4 chokes if an ACL contains an INHERIT_ONLY entry
* but no non-INHERIT_ONLY entry for one SID. So we only
@@ -2364,9 +2288,6 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
* case will still fail under NT 4.
*/
- if (!dir_ace)
- goto simplify_file_ace_only;
-
ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
if (ace && !ace->perms) {
DLIST_REMOVE(dir_ace, ace);
@@ -2413,20 +2334,6 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
DLIST_REMOVE(dir_ace, ace);
SAFE_FREE(ace);
}
-
- simplify_file_ace_only:
-
- ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
- if (ace && !ace->perms) {
- DLIST_REMOVE(file_ace, ace);
- SAFE_FREE(ace);
- }
-
- ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
- if (ace && !ace->perms) {
- DLIST_REMOVE(file_ace, ace);
- SAFE_FREE(ace);
- }
}
num_acls = count_canon_ace_list(file_ace);