From 14813e74431816cd894fb242ff5633c2cd14ddca Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 21 Oct 2013 16:59:11 -0700 Subject: Fix bug 10196 - RW Deny for a specific user is not overriding RW Allow for a group. When the ID returned is ID_TYPE_BOTH we must *always* add it as both a user and a group, not just in the owning case. Otherwise DENY entries are not correctly processed. Confirmed by the reporter as fixing the problem. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10196 Signed-off-by: Jeremy Allison Reviewed-by: David Disseldorp --- source3/smbd/posix_acls.c | 79 ++++++++++++++++++++++++----------------------- 1 file changed, 41 insertions(+), 38 deletions(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index ad1431d761..621457e051 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -1981,47 +1981,50 @@ static bool create_canon_ace_lists(files_struct *fsp, } if (unixid.type == ID_TYPE_BOTH) { - /* If it's the owning user, this is a - * user_obj, not a user. This way, we - * get a valid ACL for groups that own - * files, without putting user ACL - * entries in for groups otherwise */ - if (unixid.id == pst->st_ex_uid) { - current_ace->owner_type = UID_ACE; - current_ace->unix_ug.type = ID_TYPE_UID; - current_ace->unix_ug.id = unixid.id; - current_ace->type = SMB_ACL_USER_OBJ; - - /* Add the user object to the posix ACL, - and proceed to the group mapping - below. This handles the talloc_free - of current_ace if not added for some - reason */ - if (!add_current_ace_to_acl(fsp, - psa, - &file_ace, - &dir_ace, - &got_file_allow, - &got_dir_allow, - &all_aces_are_inherit_only, - current_ace)) { - free_canon_ace_list(file_ace); - free_canon_ace_list(dir_ace); - return false; - } - - if ((current_ace = talloc(talloc_tos(), - canon_ace)) == NULL) { - free_canon_ace_list(file_ace); - free_canon_ace_list(dir_ace); - DEBUG(0,("create_canon_ace_lists: " - "malloc fail.\n")); - return False; - } + /* + * We must add both a user and group + * entry POSIX_ACL. + * This is due to the fact that in POSIX + * user entries are more specific than + * groups. + */ + current_ace->owner_type = UID_ACE; + current_ace->unix_ug.type = ID_TYPE_UID; + current_ace->unix_ug.id = unixid.id; + current_ace->type = + (unixid.id == pst->st_ex_uid) ? + SMB_ACL_USER_OBJ : + SMB_ACL_USER; + + /* Add the user object to the posix ACL, + and proceed to the group mapping + below. This handles the talloc_free + of current_ace if not added for some + reason */ + if (!add_current_ace_to_acl(fsp, + psa, + &file_ace, + &dir_ace, + &got_file_allow, + &got_dir_allow, + &all_aces_are_inherit_only, + current_ace)) { + free_canon_ace_list(file_ace); + free_canon_ace_list(dir_ace); + return false; + } - ZERO_STRUCTP(current_ace); + if ((current_ace = talloc(talloc_tos(), + canon_ace)) == NULL) { + free_canon_ace_list(file_ace); + free_canon_ace_list(dir_ace); + DEBUG(0,("create_canon_ace_lists: " + "malloc fail.\n")); + return False; } + ZERO_STRUCTP(current_ace); + sid_copy(¤t_ace->trustee, &psa->trustee); current_ace->unix_ug.type = ID_TYPE_GID; -- cgit