From 4a494ccf768ea242013a42b8dac61655ca863df4 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 23 May 2005 20:47:43 +0000
Subject: r6946: Allow mapping of POSIX ACLs to NT perms to differentiate
 between directories and files. Needed for Volker's coming changes. Jeremy.
 (This used to be commit b257744fdfd0a8d940ae834b3c21f0f298c7d1f9)

---
 source3/include/smb.h     |  6 ++++++
 source3/smbd/posix_acls.c | 22 ++++++++++++++++------
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/source3/include/smb.h b/source3/include/smb.h
index 41aaa317fd..35ae5723b0 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -1110,6 +1110,12 @@ struct bitmap {
 #define UNIX_ACCESS_W		FILE_GENERIC_WRITE
 #define UNIX_ACCESS_X		FILE_GENERIC_EXECUTE
 
+/* Mapping of access rights to UNIX perms. for a UNIX directory. */
+#define UNIX_DIRECTORY_ACCESS_RWX		FILE_GENERIC_ALL
+#define UNIX_DIRECTORY_ACCESS_R 		FILE_GENERIC_READ
+#define UNIX_DIRECTORY_ACCESS_W			FILE_GENERIC_WRITE
+#define UNIX_DIRECTORY_ACCESS_X			FILE_GENERIC_EXECUTE
+
 #if 0
 /*
  * This is the old mapping we used to use. To get W2KSP2 profiles
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index b5052eec25..b5ac2e8241 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -801,7 +801,7 @@ static BOOL nt4_compatible_acls(void)
  not get. Deny entries are implicit on get with ace->perms = 0.
 ****************************************************************************/
 
-static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace *ace)
+static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace *ace, BOOL directory_ace)
 {
 	SEC_ACCESS sa;
 	uint32 nt_mask = 0;
@@ -809,7 +809,11 @@ static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon
 	*pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
 
 	if ((ace->perms & ALL_ACE_PERMS) == ALL_ACE_PERMS) {
+		if (directory_ace) {
+			nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
+		} else {
 			nt_mask = UNIX_ACCESS_RWX;
+		}
 	} else if ((ace->perms & ALL_ACE_PERMS) == (mode_t)0) {
 		/*
 		 * Windows NT refuses to display ACEs with no permissions in them (but
@@ -825,9 +829,15 @@ static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon
 		else
 			nt_mask = 0;
 	} else {
-		nt_mask |= ((ace->perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
-		nt_mask |= ((ace->perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
-		nt_mask |= ((ace->perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
+		if (directory_ace) {
+			nt_mask |= ((ace->perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
+			nt_mask |= ((ace->perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
+			nt_mask |= ((ace->perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
+		} else {
+			nt_mask |= ((ace->perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
+			nt_mask |= ((ace->perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
+			nt_mask |= ((ace->perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
+		}
 	}
 
 	DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
@@ -2815,7 +2825,7 @@ size_t get_nt_acl(files_struct *fsp, uint32 security_info, SEC_DESC **ppdesc)
 			for (i = 0; i < num_acls; i++, ace = ace->next) {
 				SEC_ACCESS acc;
 
-				acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace );
+				acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace, fsp->is_directory);
 				init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc, ace->inherited ? SEC_ACE_FLAG_INHERITED_ACE : 0);
 			}
 
@@ -2833,7 +2843,7 @@ size_t get_nt_acl(files_struct *fsp, uint32 security_info, SEC_DESC **ppdesc)
 			for (i = 0; i < num_def_acls; i++, ace = ace->next) {
 				SEC_ACCESS acc;
 	
-				acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace );
+				acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace, fsp->is_directory);
 				init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc,
 						SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
 						SEC_ACE_FLAG_INHERIT_ONLY|
-- 
cgit