diff options
author | Stefan Metzmacher <metze@samba.org> | 2009-05-08 14:33:49 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2009-06-02 12:41:55 +0200 |
commit | 21e4502b54fbf4ae1e79dbf162c4342c537d3600 (patch) | |
tree | 52fae287fe0d3d25b18acb227e7a5c87ba71ae97 | |
parent | f28e99bc939ab739a35f19675a511319479fe0f3 (diff) | |
download | samba-21e4502b54fbf4ae1e79dbf162c4342c537d3600.tar.gz samba-21e4502b54fbf4ae1e79dbf162c4342c537d3600.tar.xz samba-21e4502b54fbf4ae1e79dbf162c4342c537d3600.zip |
s3:smbd: fix posix acls when setting an ACL without explicit ACE for the owner (bug#2346)
The problem of bug #2346 remains for users exported by
winbindd, because create_token_from_username() just fakes
the token when the user is not in the local sam domain. This causes
user_in_group_sid() to give totally wrong results.
In uid_entry_in_group() we need to check if we already
have the full unix token in the current_user struct.
If so we should use the current_user unix token,
instead of doing a very complex user_in_group_sid()
which doesn't give reliable results anyway.
metze
(cherry picked from commit b79eff843be392f3065e912edca1434081d93c44)
(cherry picked from commit cb5c72c0a05a78ff1b86eb02cf5ecd3d7d69623d)
(cherry picked from commit ef0d72513b5404f176186632aab67d7b87039ba2)
-rw-r--r-- | source/smbd/posix_acls.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index b538825b951..562776e798d 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -1119,16 +1119,31 @@ static bool uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace ) if (sid_equal(&group_ace->trustee, &global_sid_World)) return True; - /* Assume that the current user is in the current group (force group) */ + /* + * if it's the current user, we already have the unix token + * and don't need to do the complex user_in_group_sid() call + */ + if (uid_ace->unix_ug.uid == current_user.ut.uid) { + size_t i; - if (uid_ace->unix_ug.uid == current_user.ut.uid && group_ace->unix_ug.gid == current_user.ut.gid) - return True; + if (group_ace->unix_ug.gid == current_user.ut.gid) { + return True; + } + + for (i=0; i < current_user.ut.ngroups; i++) { + if (group_ace->unix_ug.gid == current_user.ut.groups[i]) { + return True; + } + } + } /* u_name talloc'ed off tos. */ u_name = uidtoname(uid_ace->unix_ug.uid); if (!u_name) { return False; } + + /* notice that this is not reliable for users exported by winbindd! */ return user_in_group_sid(u_name, &group_ace->trustee); } |