From 1fb1c67fb9392364887ba8963f18d10b27d1cfa0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Jul 2008 10:24:12 -0700 Subject: Patch from SATOH Fumiyasu for bug #5202. Re-activate "acl group control" parameter and make it only apply to owning group. Also added man page fix. Jeremy. (This used to be commit e98e080bad2c8b9f038a8f2dffcfeba1d5f392ce) --- docs-xml/smbdotconf/misc/dosfilemode.xml | 17 +++++----- docs-xml/smbdotconf/security/aclgroupcontrol.xml | 6 ++-- source3/param/loadparm.c | 2 +- source3/smbd/posix_acls.c | 40 +++++++++++++++--------- 4 files changed, 40 insertions(+), 25 deletions(-) diff --git a/docs-xml/smbdotconf/misc/dosfilemode.xml b/docs-xml/smbdotconf/misc/dosfilemode.xml index ae3b475107..e67ccd935a 100644 --- a/docs-xml/smbdotconf/misc/dosfilemode.xml +++ b/docs-xml/smbdotconf/misc/dosfilemode.xml @@ -3,15 +3,16 @@ type="boolean" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - The default behavior in Samba is to provide - UNIX-like behavior where only the owner of a file/directory is + The default behavior in Samba is to provide + UNIX-like behavior where only the owner of a file/directory is able to change the permissions on it. However, this behavior - is often confusing to DOS/Windows users. Enabling this parameter - allows a user who has write access to the file (by whatever - means) to modify the permissions (including ACL) on it. Note that a user - belonging to the group owning the file will not be allowed to - change permissions if the group is only granted read access. - Ownership of the file/directory may also be changed. + is often confusing to DOS/Windows users. Enabling this parameter + allows a user who has write access to the file (by whatever + means, including an ACL permission) to modify the permissions + (including ACL) on it. Note that a user belonging to the group + owning the file will not be allowed to change permissions if + the group is only granted read access. Ownership of the + file/directory may also be changed. no diff --git a/docs-xml/smbdotconf/security/aclgroupcontrol.xml b/docs-xml/smbdotconf/security/aclgroupcontrol.xml index e2600ca9da..6efd46dd8d 100644 --- a/docs-xml/smbdotconf/security/aclgroupcontrol.xml +++ b/docs-xml/smbdotconf/security/aclgroupcontrol.xml @@ -30,8 +30,10 @@ - This is parameter has been marked deprecated in Samba 3.0.23. The same behavior is now - implemented by the dos filemode option. + This is parameter has been was deprecated in Samba 3.0.23, but re-activated in + Samba 3.0.31 and above, as it now only controls permission changes if the user + is in the owning primary group. It is now no longer equivalent to the + dos filemode option. diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index b679b79fea..b2cbbf1671 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -1507,7 +1507,7 @@ static struct parm_struct parm_table[] = { .ptr = &sDefault.bAclGroupControl, .special = NULL, .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE | FLAG_DEPRECATED, + .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, }, { .label = "acl map full control", diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index e92a263ca0..427cfc9a0d 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -2362,20 +2362,32 @@ static bool current_user_in_group(gid_t gid) } /**************************************************************************** - Should we override a deny ? Check deprecated 'acl group control' - and 'dos filemode' + Should we override a deny ? Check 'acl group control' and 'dos filemode'. ****************************************************************************/ -static bool acl_group_override(connection_struct *conn, gid_t prim_gid) +static bool acl_group_override(connection_struct *conn, + gid_t prim_gid, + const char *fname) { - if ( (errno == EACCES || errno == EPERM) - && (lp_acl_group_control(SNUM(conn)) || lp_dos_filemode(SNUM(conn))) - && current_user_in_group(prim_gid)) - { - return True; - } + SMB_STRUCT_STAT sbuf; - return False; + if ((errno != EPERM) && (errno != EACCES)) { + return false; + } + + /* file primary group == user primary or supplementary group */ + if (lp_acl_group_control(SNUM(conn)) && + current_user_in_group(prim_gid)) { + return true; + } + + /* user has writeable permission */ + if (lp_dos_filemode(SNUM(conn)) && + can_write_to_file(conn, fname, &sbuf)) { + return true; + } + + return false; } /**************************************************************************** @@ -2561,7 +2573,7 @@ static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool defau *pacl_set_support = False; } - if (acl_group_override(conn, prim_gid)) { + if (acl_group_override(conn, prim_gid, fsp->fsp_name)) { int sret; DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n", @@ -2592,7 +2604,7 @@ static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool defau *pacl_set_support = False; } - if (acl_group_override(conn, prim_gid)) { + if (acl_group_override(conn, prim_gid, fsp->fsp_name)) { int sret; DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n", @@ -3570,7 +3582,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name) == -1) { int sret = -1; - if (acl_group_override(conn, sbuf.st_gid)) { + if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) { DEBUG(5,("set_nt_acl: acl group control on and " "current user in file %s primary group. Override delete_def_acl\n", fsp->fsp_name )); @@ -3617,7 +3629,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) if(SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms) == -1) { int sret = -1; - if (acl_group_override(conn, sbuf.st_gid)) { + if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) { DEBUG(5,("set_nt_acl: acl group control on and " "current user in file %s primary group. Override chmod\n", fsp->fsp_name )); -- cgit