From 6795432f272e725198dcd3514910c823d96d0a55 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 22 Nov 2011 11:53:51 -0800
Subject: Move the "set SD" code into provided SD and "inherit acls" branches.

---
 source3/smbd/open.c | 61 ++++++++++++++++++++++++++++-------------------------
 1 file changed, 32 insertions(+), 29 deletions(-)

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 936c27e64d..95b980f99a 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3457,42 +3457,45 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
 		}
 	}
 
-	/*
-	 * According to the MS documentation, the only time the security
-	 * descriptor is applied to the opened file is iff we *created* the
-	 * file; an existing file stays the same.
-	 *
-	 * Also, it seems (from observation) that you can open the file with
-	 * any access mask but you can still write the sd. We need to override
-	 * the granted access before we call set_sd
-	 * Patch for bug #2242 from Tom Lackemann <cessnatomny@yahoo.com>.
-	 */
-
-	if ((sd != NULL) && (info == FILE_WAS_CREATED)
-	    && lp_nt_acl_support(SNUM(conn)) && fsp->base_fsp == NULL) {
+	if ((info == FILE_WAS_CREATED) && lp_nt_acl_support(SNUM(conn)) &&
+				fsp->base_fsp == NULL) {
+		if (sd != NULL) {
+			/*
+			 * According to the MS documentation, the only time the security
+			 * descriptor is applied to the opened file is iff we *created* the
+			 * file; an existing file stays the same.
+			 *
+			 * Also, it seems (from observation) that you can open the file with
+			 * any access mask but you can still write the sd. We need to override
+			 * the granted access before we call set_sd
+			 * Patch for bug #2242 from Tom Lackemann <cessnatomny@yahoo.com>.
+			 */
 
-		uint32_t sec_info_sent;
-		uint32_t saved_access_mask = fsp->access_mask;
+			uint32_t sec_info_sent;
+			uint32_t saved_access_mask = fsp->access_mask;
 
-		sec_info_sent = get_sec_info(sd);
+			sec_info_sent = get_sec_info(sd);
 
-		fsp->access_mask = FILE_GENERIC_ALL;
+			fsp->access_mask = FILE_GENERIC_ALL;
 
-		/* Convert all the generic bits. */
-		security_acl_map_generic(sd->dacl, &file_generic_mapping);
-		security_acl_map_generic(sd->sacl, &file_generic_mapping);
+			/* Convert all the generic bits. */
+			security_acl_map_generic(sd->dacl, &file_generic_mapping);
+			security_acl_map_generic(sd->sacl, &file_generic_mapping);
 
-		if (sec_info_sent & (SECINFO_OWNER|
-					SECINFO_GROUP|
-					SECINFO_DACL|
-					SECINFO_SACL)) {
-			status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd);
-		}
+			if (sec_info_sent & (SECINFO_OWNER|
+						SECINFO_GROUP|
+						SECINFO_DACL|
+						SECINFO_SACL)) {
+				status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd);
+			}
 
-		fsp->access_mask = saved_access_mask;
+			fsp->access_mask = saved_access_mask;
 
-		if (!NT_STATUS_IS_OK(status)) {
-			goto fail;
+			if (!NT_STATUS_IS_OK(status)) {
+				goto fail;
+			}
+		} else if (lp_inherit_acls(SNUM(conn))) {
+			/* Inherit from parent. */
 		}
 	}
 
-- 
cgit