From 1ca7ec3472e9cb77888f2850930f087b5e5bf761 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 25 Mar 2005 01:30:21 +0000 Subject: r6055: Fix algorithm. If any of the primary or supplementary group ids match a "allow" entry of GROUP or GROUP_OBJ, then access is allowed. It doesn't terminate on the first match. Added debug to show where the match occured (or didn't). Jeremy. (This used to be commit 81fb3372867fa66a092841222e02bd1c104b2d19) --- source3/smbd/posix_acls.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 76b67169f2..33db14aec3 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3860,6 +3860,11 @@ match on user %u -> %s.\n", fname, (unsigned int)*puid, ret ? "can write" : "can goto check_stat; } + /* If we don't have write permission this entry never matches. */ + if (have_write == 0) { + continue; + } + switch(tagtype) { case SMB_ACL_GROUP: { @@ -3870,9 +3875,9 @@ match on user %u -> %s.\n", fname, (unsigned int)*puid, ret ? "can write" : "can for (i = 0; i < current_user.ngroups; i++) { if (current_user.groups[i] == *pgid) { /* We're done now we have a gid match. */ - ret = have_write; + ret = 1; DEBUG(10,("check_posix_acl_group_write: file %s \ -match on group %u -> %s.\n", fname, (unsigned int)*pgid, ret ? "can write" : "cannot write")); +match on group %u -> can write.\n", fname, (unsigned int)*pgid )); goto done; } } @@ -3886,13 +3891,24 @@ match on group %u -> %s.\n", fname, (unsigned int)*pgid, ret ? "can write" : "ca check_stat: + /* If we get here we know ret == 0. */ + SMB_ASSERT(ret == 0); + for (i = 0; i < current_user.ngroups; i++) { if (current_user.groups[i] == psbuf->st_gid) { ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0; + DEBUG(10,("check_posix_acl_group_write: file %s \ +match on owning group %u -> %s.\n", fname, (unsigned int)psbuf->st_gid, ret ? "can write" : "cannot write")); break; } } + if (i == current_user.ngroups) { + SMB_ASSERT(ret == 0); + DEBUG(10,("check_posix_acl_group_write: file %s \ +failed to match on user or group in token.\n", fname )); + } + done: SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl); -- cgit