From c991ac0ebf13bf7832b33dffca388f6f14755fbb Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 7 Aug 2012 12:11:50 +1000 Subject: s3-smbd: Merge ACE entries based on mapped UID/GID not SID As the test for a valid posix ACL is based on the unix uid/gid only appearing once in the ACL the merge process also needs to be UID/GID based. This is a problem when we have multiple builtin groups mapped to the same POSIX group as happens in a Samba4 provision. Andrew Bartlett Signed-off-by: Jeremy Allison --- source3/smbd/posix_acls.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3') diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index f07f72ebb7..3485974320 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -919,7 +919,7 @@ void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid *powner_sid, } /**************************************************************************** - Merge aces with a common sid - if both are allow or deny, OR the permissions together and + Merge aces with a common UID or GID - if both are allow or deny, OR the permissions together and delete the second one. If the first is deny, mask the permissions off and delete the allow if the permissions become zero, delete the deny if the permissions are non zero. ****************************************************************************/ @@ -955,11 +955,11 @@ static void merge_aces( canon_ace **pp_list_head, bool dir_acl) */ if (!dir_acl) { - can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) && + can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id && curr_ace->owner_type == curr_ace_outer->owner_type && (curr_ace->attr == curr_ace_outer->attr)); } else { - can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) && + can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id && curr_ace->owner_type == curr_ace_outer->owner_type && (curr_ace->type == curr_ace_outer->type) && (curr_ace->attr == curr_ace_outer->attr)); @@ -1009,7 +1009,7 @@ static void merge_aces( canon_ace **pp_list_head, bool dir_acl) * we've put on the ACL, we know the deny must be the first one. */ - if (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) && + if (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id && (curr_ace->owner_type == curr_ace_outer->owner_type) && (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) { -- cgit