diff options
| author | Ralph Boehme <slow@samba.org> | 2014-11-26 18:01:37 +0100 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2014-12-04 22:11:08 +0100 |
| commit | 5ff72827c3b74f28995b45250fe8efa79495e3b6 (patch) | |
| tree | cbdbb37c11b94cff9b3fd9cf889a2d67ddfef2ab | |
| parent | 2ab6b43da63715350db8675bd3804e64f4241bca (diff) | |
| download | samba-5ff72827c3b74f28995b45250fe8efa79495e3b6.tar.gz samba-5ff72827c3b74f28995b45250fe8efa79495e3b6.tar.xz samba-5ff72827c3b74f28995b45250fe8efa79495e3b6.zip | |
s3:smbd: ignore dacls with MS NFS ACEs
Ignore NFS ACEs in code the modifies
* default POSIX ACLs
* VFS: NFSv4 ACLs
* VFS: xattr and tdb ACLs
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
| -rw-r--r-- | source3/modules/nfs4_acls.c | 3 | ||||
| -rw-r--r-- | source3/modules/vfs_acl_common.c | 9 | ||||
| -rw-r--r-- | source3/smbd/posix_acls.c | 10 |
3 files changed, 22 insertions, 0 deletions
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index cf61af90c5..1aa819a34f 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -778,6 +778,9 @@ static bool smbacl4_fill_ace4( ace_v4->who.gid = gid; } else if (sid_to_uid(&ace_nt->trustee, &uid)) { ace_v4->who.uid = uid; + } else if (dom_sid_compare_domain(&ace_nt->trustee, + &global_sid_Unix_NFS) == 0) { + return false; } else { DEBUG(1, ("nfs4_acls.c: file [%s]: could not " "convert %s to uid or gid\n", diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c index b749157ef3..920c811de5 100644 --- a/source3/modules/vfs_acl_common.c +++ b/source3/modules/vfs_acl_common.c @@ -775,6 +775,15 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp, psd->group_sid = orig_psd->group_sid; } if (security_info_sent & SECINFO_DACL) { + if (security_descriptor_with_ms_nfs(orig_psd)) { + /* + * If the sd contains a MS NFS SID, do + * nothing, it's a chmod() request from OS X + * with AAPL context. + */ + TALLOC_FREE(frame); + return NT_STATUS_OK; + } psd->dacl = orig_psd->dacl; psd->type |= SEC_DESC_DACL_PRESENT; } diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 126b822439..6a5ec85988 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3666,6 +3666,16 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct s return NT_STATUS_INVALID_PARAMETER; } + /* + * MS NFS mode, here's the deal: the client merely wants to + * modify the mode, but roundtripping get_acl/set/acl would + * add additional POSIX ACEs. So in case we get a request + * containing a MS NFS mode SID, we do nothing here. + */ + if (security_descriptor_with_ms_nfs(psd_orig)) { + return NT_STATUS_OK; + } + psd = security_descriptor_copy(talloc_tos(), psd_orig); if (psd == NULL) { return NT_STATUS_NO_MEMORY; |