From 24497516cb115b62c5161a053f9025a9c711b114 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 28 May 2003 20:25:31 +0000 Subject: Fix bug brought up by Ken Cross that empty ACE's cause existing ACE's to be applied to new ACE set calls. This is incorrect. Don't think this has a bugzilla id. Jeremy. (This used to be commit cb70d8c9e87801c314d1b926d4e43ee451c04135) --- source3/smbd/posix_acls.c | 121 ++++++---------------------------------------- 1 file changed, 14 insertions(+), 107 deletions(-) (limited to 'source3') diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 8da12b9b68..d775a82d2d 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -605,14 +605,6 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace, BOOL got_other = False; canon_ace *pace_other = NULL; canon_ace *pace_group = NULL; - connection_struct *conn = fsp->conn; - SMB_ACL_T current_posix_acl = NULL; - mode_t current_user_perms = 0; - mode_t current_grp_perms = 0; - mode_t current_other_perms = 0; - BOOL got_current_user = False; - BOOL got_current_grp = False; - BOOL got_current_other = False; for (pace = *pp_ace; pace; pace = pace->next) { if (pace->type == SMB_ACL_USER_OBJ) { @@ -645,62 +637,6 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace, } } - /* - * When setting ACLs and missing one out of SMB_ACL_USER_OBJ, - * SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER, try to retrieve current - * values. For user and other a simple SMB_VFS_STAT would do, but - * we would get mask instead of group. Let's do it via ACL. - */ - - if (setting_acl && (!got_user || !got_grp || !got_other)) { - - SMB_ACL_ENTRY_T entry; - int entry_id = SMB_ACL_FIRST_ENTRY; - - if(fsp->is_directory || fsp->fd == -1) { - current_posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fsp->fsp_name, SMB_ACL_TYPE_ACCESS); - } else { - current_posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp, fsp->fd); - } - - if (current_posix_acl) { - while (SMB_VFS_SYS_ACL_GET_ENTRY(conn, current_posix_acl, entry_id, &entry) == 1) { - SMB_ACL_TAG_T tagtype; - SMB_ACL_PERMSET_T permset; - - /* get_next... */ - if (entry_id == SMB_ACL_FIRST_ENTRY) - entry_id = SMB_ACL_NEXT_ENTRY; - - /* Is this a MASK entry ? */ - if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1) - continue; - - if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) - continue; - - switch(tagtype) { - case SMB_ACL_USER_OBJ: - current_user_perms = convert_permset_to_mode_t(conn, permset); - got_current_user = True; - break; - case SMB_ACL_GROUP_OBJ: - current_grp_perms = convert_permset_to_mode_t(conn, permset); - got_current_grp = True; - break; - case SMB_ACL_OTHER: - current_other_perms = convert_permset_to_mode_t(conn, permset); - got_current_other = True; - break; - } - } - SMB_VFS_SYS_ACL_FREE_ACL(conn, current_posix_acl); - } else { - DEBUG(10,("ensure_canon_entry_valid: failed to retrieve current ACL of %s\n", - fsp->fsp_name)); - } - } - if (!got_user) { if ((pace = (canon_ace *)malloc(sizeof(canon_ace))) == NULL) { DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n")); @@ -715,18 +651,13 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace, pace->attr = ALLOW_ACE; if (setting_acl) { - if (got_current_user) { - pace->perms = current_user_perms; - } else { - /* If we only got an "everyone" perm, just use that. */ - if (!got_grp && got_other) - pace->perms = pace_other->perms; - else if (got_grp && uid_entry_in_group(pace, pace_group)) - pace->perms = pace_group->perms; - else - pace->perms = 0; - - } + /* If we only got an "everyone" perm, just use that. */ + if (!got_grp && got_other) + pace->perms = pace_other->perms; + else if (got_grp && uid_entry_in_group(pace, pace_group)) + pace->perms = pace_group->perms; + else + pace->perms = 0; apply_default_perms(fsp, pace, S_IRUSR); } else { @@ -749,15 +680,11 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace, pace->trustee = *pfile_grp_sid; pace->attr = ALLOW_ACE; if (setting_acl) { - if (got_current_grp) { - pace->perms = current_grp_perms; - } else { - /* If we only got an "everyone" perm, just use that. */ - if (got_other) - pace->perms = pace_other->perms; - else - pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP); - } + /* If we only got an "everyone" perm, just use that. */ + if (got_other) + pace->perms = pace_other->perms; + else + pace->perms = 0; apply_default_perms(fsp, pace, S_IRGRP); } else { pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP); @@ -779,10 +706,7 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace, pace->trustee = global_sid_World; pace->attr = ALLOW_ACE; if (setting_acl) { - if (got_current_other) - pace->perms = current_other_perms; - else - pace->perms = 0; + pace->perms = 0; apply_default_perms(fsp, pace, S_IROTH); } else pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IROTH, S_IWOTH, S_IXOTH); @@ -2351,7 +2275,7 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc) int nt_acl_type; int i; - if (nt4_compatible_acls()) { + if (nt4_compatible_acls() && dir_ace) { /* * NT 4 chokes if an ACL contains an INHERIT_ONLY entry * but no non-INHERIT_ONLY entry for one SID. So we only @@ -2364,9 +2288,6 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc) * case will still fail under NT 4. */ - if (!dir_ace) - goto simplify_file_ace_only; - ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL); if (ace && !ace->perms) { DLIST_REMOVE(dir_ace, ace); @@ -2413,20 +2334,6 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc) DLIST_REMOVE(dir_ace, ace); SAFE_FREE(ace); } - - simplify_file_ace_only: - - ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL); - if (ace && !ace->perms) { - DLIST_REMOVE(file_ace, ace); - SAFE_FREE(ace); - } - - ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL); - if (ace && !ace->perms) { - DLIST_REMOVE(file_ace, ace); - SAFE_FREE(ace); - } } num_acls = count_canon_ace_list(file_ace); -- cgit