summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2011-09-08 14:10:16 -0700
committerKarolin Seeger <kseeger@samba.org>2011-10-24 19:16:53 +0200
commit8ffc3f4f206dfd729c943505cd36036882bc57ee (patch)
tree28b6189622fd8ee1a92d184f75cc1aa7fbb7bc96
parent9fcee67236dbbcdff0b5f825d338eae818d4321b (diff)
downloadsamba-8ffc3f4f206dfd729c943505cd36036882bc57ee.tar.gz
samba-8ffc3f4f206dfd729c943505cd36036882bc57ee.tar.xz
samba-8ffc3f4f206dfd729c943505cd36036882bc57ee.zip
Second part of fix for bug #8443 - Default user entry is set to minimal permissions on incoming ACL change with no user specified.
Be smarter about setting default permissions when a ACL_USER_OBJ isn't given. Use the principle of least surprises for the user. (cherry picked from commit abf0629535a8082229810c6905c356b20c482be9)
-rw-r--r--source3/smbd/posix_acls.c19
1 files changed, 11 insertions, 8 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 1457ec1bde8..555f9c00fd2 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1397,29 +1397,32 @@ static bool ensure_canon_entry_valid(canon_ace **pp_ace,
pace->unix_ug.uid = pst->st_ex_uid;
pace->trustee = *pfile_owner_sid;
pace->attr = ALLOW_ACE;
+ /* Start with existing permissions, principle of least
+ surprises for the user. */
+ pace->perms = pst->st_ex_mode;
if (setting_acl) {
/* See if the owning user is in any of the other groups in
- the ACE. If so, OR in the permissions from that group. */
+ the ACE, or if there's a matching user entry.
+ If so, OR in the permissions from that entry. */
- bool group_matched = False;
canon_ace *pace_iter;
for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
- if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
+ if (pace_iter->type == SMB_ACL_USER &&
+ pace_iter->unix_ug.uid == pace->unix_ug.uid) {
+ pace->perms |= pace_iter->perms;
+ } else if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
if (uid_entry_in_group(pace, pace_iter)) {
pace->perms |= pace_iter->perms;
- group_matched = True;
}
}
}
- /* If we only got an "everyone" perm, just use that. */
- if (!group_matched) {
+ if (pace->perms == 0) {
+ /* If we only got an "everyone" perm, just use that. */
if (got_other)
pace->perms = pace_other->perms;
- else
- pace->perms = 0;
}
apply_default_perms(params, is_directory, pace, S_IRUSR);