From c251a6b0442abc13bc8be4ff8de324c1d7706a78 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Oct 2012 10:25:14 -0700 Subject: When creating a new file/directory, we need to obey the create mask/directory mask parameters. Currently we call FSET_NT_ACL to inherit any ACLs on create. However FSET_NT_ACL uses the security mask/directory security mask parameters instead of the create mask/directory mask parameters. Swap them temporarily when creating to ensure the correct masks are applied. Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue Oct 2 22:27:17 CEST 2012 on sn-devel-104 --- source3/smbd/open.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/source3/smbd/open.c b/source3/smbd/open.c index d4babd40f7..bea4d99285 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -3436,6 +3436,9 @@ static NTSTATUS inherit_new_acl(files_struct *fsp) bool inherit_owner = lp_inherit_owner(SNUM(fsp->conn)); bool inheritable_components = false; size_t size = 0; + int orig_security_mask = 0; + int orig_directory_security_mask = 0; + int snum = SNUM(fsp->conn); if (!parent_dirname(ctx, fsp->fsp_name->base_name, &parent_name, NULL)) { return NT_STATUS_NO_MEMORY; @@ -3506,6 +3509,14 @@ static NTSTATUS inherit_new_acl(files_struct *fsp) NDR_PRINT_DEBUG(security_descriptor, psd); } + /* Temporarily replace the security masks with the create masks, + as we're actually doing a create here - we only call this + when we've created a file or directory - but there's no + way for FSET_NT_ACL to know the difference. */ + + orig_security_mask = lp_set_security_mask(snum, lp_create_mask(snum)); + orig_directory_security_mask = lp_set_directory_security_mask(snum, lp_dir_mask(snum)); + if (inherit_owner) { /* We need to be root to force this. */ become_root(); @@ -3516,6 +3527,10 @@ static NTSTATUS inherit_new_acl(files_struct *fsp) if (inherit_owner) { unbecome_root(); } + + (void)lp_set_security_mask(snum, orig_security_mask); + (void)lp_set_directory_security_mask(snum, orig_directory_security_mask); + return status; } -- cgit