From 2f99c0e602f4fe4d7a95e08d882a0669d9adad11 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Jun 2001 01:49:30 +0000 Subject: lib/util_getent.c: removed debug code. smbd/posix_acls.c: Attempt to fix the "lose default acl" problem in Solaris. Needs testing. lib/sysacls.c: Typo fix. Jeremy. (This used to be commit d989f8bd3e1524183a24fb67be1af05b3289f648) --- source3/lib/util_getent.c | 7 ++----- source3/smbd/posix_acls.c | 53 +++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 51 insertions(+), 9 deletions(-) diff --git a/source3/lib/util_getent.c b/source3/lib/util_getent.c index 610d31f0d5..5c1652f6bf 100644 --- a/source3/lib/util_getent.c +++ b/source3/lib/util_getent.c @@ -21,6 +21,7 @@ #include "includes.h" +#if 0 static void print_grent_list(struct sys_grent *glist) { DEBUG(100, ("print_grent_list: %x\n", glist )); @@ -40,6 +41,7 @@ static void print_grent_list(struct sys_grent *glist) } DEBUG(100,("FINISHED !\n\n")); } +#endif /**************************************************************** Returns a single linked list of group entries. @@ -108,8 +110,6 @@ struct sys_grent * getgrent_list(void) } endgrent(); - print_grent_list(glist); - DEBUG(100,("getgrent_list returned %x\n", glist )); return glist; err: @@ -127,12 +127,9 @@ struct sys_grent * getgrent_list(void) void grent_free (struct sys_grent *glist) { - DEBUG(100,("getgrent_free %x\n", glist )); while (glist) { struct sys_grent *prev; - print_grent_list(glist); - if (glist->gr_name) free(glist->gr_name); if (glist->gr_passwd) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index d369746e50..4832184df7 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -631,18 +631,19 @@ static BOOL create_canon_ace_lists(files_struct *fsp, canon_ace *current_ace = NULL; BOOL got_dir_allow = False; BOOL got_file_allow = False; - int i; + int i, j; *ppfile_ace = NULL; *ppdir_ace = NULL; + /* + * Convert the incoming ACL into a more regular form. + */ + for(i = 0; i < dacl->num_aces; i++) { - enum SID_NAME_USE sid_type; SEC_ACE *psa = &dacl->ace[i]; if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) { - free_canon_ace_list(file_ace); - free_canon_ace_list(dir_ace); DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n")); return False; } @@ -664,6 +665,50 @@ static BOOL create_canon_ace_lists(files_struct *fsp, if(psa->info.mask != UNIX_ACCESS_NONE) psa->info.mask &= ~UNIX_ACCESS_NONE; + } + + /* + * Deal with the fact that NT 4.x re-writes the canonical format + * that we return for default ACLs. If a directory ACE is identical + * to a inherited directory ACE then NT changes the bits so that the + * first ACE is set to OI|IO and the second ACE for this SID is set + * to CI. We need to repair this. JRA. + */ + + for(i = 0; i < dacl->num_aces; i++) { + SEC_ACE *psa1 = &dacl->ace[i]; + + for (j = i + 1; j < dacl->num_aces; j++) { + SEC_ACE *psa2 = &dacl->ace[j]; + + if (psa1->info.mask != psa2->info.mask) + continue; + + if (!sid_equal(&psa1->sid, &psa2->sid)) + continue; + + /* + * Ok - permission bits and SIDs are equal. + * Check if flags were re-written. + */ + + if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) { + + psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)); + psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT); + + } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) { + + psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)); + psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT); + + } + } + } + + for(i = 0; i < dacl->num_aces; i++) { + enum SID_NAME_USE sid_type; + SEC_ACE *psa = &dacl->ace[i]; /* * Create a cannon_ace entry representing this NT DACL ACE. -- cgit