From 5d5ddbd62490d3e87dd990554a2c7b7eaf2cc24e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Oct 2012 10:12:45 -0700 Subject: Only apply masks on non-default ACL entries when setting the ACL. --- source3/smbd/posix_acls.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index b74c1b24b3..125234cdfa 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -1353,6 +1353,7 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace, + bool is_default_acl, const struct share_params *params, const bool is_directory, const struct dom_sid *pfile_owner_sid, @@ -1368,8 +1369,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, for (pace = *pp_ace; pace; pace = pace->next) { if (pace->type == SMB_ACL_USER_OBJ) { - if (setting_acl) + if (setting_acl && !is_default_acl) { apply_default_perms(params, is_directory, pace, S_IRUSR); + } pace_user = pace; } else if (pace->type == SMB_ACL_GROUP_OBJ) { @@ -1378,8 +1380,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, * Ensure create mask/force create mode is respected on set. */ - if (setting_acl) + if (setting_acl && !is_default_acl) { apply_default_perms(params, is_directory, pace, S_IRGRP); + } pace_group = pace; } else if (pace->type == SMB_ACL_OTHER) { @@ -1388,8 +1391,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, * Ensure create mask/force create mode is respected on set. */ - if (setting_acl) + if (setting_acl && !is_default_acl) { apply_default_perms(params, is_directory, pace, S_IROTH); + } pace_other = pace; } } @@ -1438,7 +1442,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, pace->perms = pace_other->perms; } - apply_default_perms(params, is_directory, pace, S_IRUSR); + if (!is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IRUSR); + } } else { pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR); } @@ -1466,7 +1472,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, pace->perms = pace_other->perms; else pace->perms = 0; - apply_default_perms(params, is_directory, pace, S_IRGRP); + if (!is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IRGRP); + } } else { pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP); } @@ -1490,7 +1498,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, pace->attr = ALLOW_ACE; if (setting_acl) { pace->perms = 0; - apply_default_perms(params, is_directory, pace, S_IROTH); + if (!is_default_acl) { + apply_default_perms(params, is_directory, pace, S_IROTH); + } } else pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH); @@ -2531,7 +2541,7 @@ static bool unpack_canon_ace(files_struct *fsp, print_canon_ace_list( "file ace - before valid", file_ace); - if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params, + if (!ensure_canon_entry_valid(fsp->conn, &file_ace, false, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { free_canon_ace_list(file_ace); free_canon_ace_list(dir_ace); @@ -2540,7 +2550,7 @@ static bool unpack_canon_ace(files_struct *fsp, print_canon_ace_list( "dir ace - before valid", dir_ace); - if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params, + if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, true, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { free_canon_ace_list(file_ace); free_canon_ace_list(dir_ace); @@ -2729,7 +2739,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, * This next call will ensure we have at least a user/group/world set. */ - if (!ensure_canon_entry_valid(conn, &l_head, conn->params, + if (!ensure_canon_entry_valid(conn, &l_head, is_default_acl, conn->params, S_ISDIR(psbuf->st_ex_mode), powner, pgroup, psbuf, False)) goto fail; -- cgit