diff options
author | Volker Lendecke <vlendec@samba.org> | 2004-07-01 14:49:44 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:52:05 -0500 |
commit | 80e57d27909a9a1edad962e3f43c2178d2da2a92 (patch) | |
tree | 278b16797f85964465e3f6ae794b9f1074308719 | |
parent | ec614a8f7d158b57f5981c1515962aca3c3e6ef4 (diff) | |
download | samba-80e57d27909a9a1edad962e3f43c2178d2da2a92.tar.gz samba-80e57d27909a9a1edad962e3f43c2178d2da2a92.tar.xz samba-80e57d27909a9a1edad962e3f43c2178d2da2a92.zip |
r1314: Restore the 2.2 'force unknown acl user' parameter. When getting a security
descriptor for a file, if the owner sid is not known, the owner uid is set to
the current uid. Same for group sid.
This makes xcopy /o possible for files that are owned by local users/groups
(local administrators for example).
Thanks to Guenther for his persistence :-)
Volker
-rw-r--r-- | source/param/loadparm.c | 4 | ||||
-rw-r--r-- | source/smbd/posix_acls.c | 42 |
2 files changed, 27 insertions, 19 deletions
diff --git a/source/param/loadparm.c b/source/param/loadparm.c index c43edd5eda7..b4686d56ea2 100644 --- a/source/param/loadparm.c +++ b/source/param/loadparm.c @@ -413,6 +413,7 @@ typedef struct BOOL bUseClientDriver; BOOL bDefaultDevmode; BOOL bNTAclSupport; + BOOL bForceUnknownAclUser; BOOL bUseSendfile; BOOL bProfileAcls; BOOL bMap_acl_inherit; @@ -536,6 +537,7 @@ static service sDefault = { False, /* bUseClientDriver */ False, /* bDefaultDevmode */ True, /* bNTAclSupport */ + False, /* bForceUnknownAclUser */ True, /* bUseSendfile */ False, /* bProfileAcls */ False, /* bMap_acl_inherit */ @@ -849,6 +851,7 @@ static struct parm_struct parm_table[] = { {"force directory mode", P_OCTAL, P_LOCAL, &sDefault.iDir_force_mode, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, {"directory security mask", P_OCTAL, P_LOCAL, &sDefault.iDir_Security_mask, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, {"force directory security mode", P_OCTAL, P_LOCAL, &sDefault.iDir_Security_force_mode, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, + {"force unknown acl user", P_BOOL, P_LOCAL, &sDefault.bForceUnknownAclUser, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, {"inherit permissions", P_BOOL, P_LOCAL, &sDefault.bInheritPerms, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE}, {"inherit acls", P_BOOL, P_LOCAL, &sDefault.bInheritACLS, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE}, {"guest only", P_BOOL, P_LOCAL, &sDefault.bGuest_only, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE}, @@ -1893,6 +1896,7 @@ FN_LOCAL_BOOL(lp_inherit_acls, bInheritACLS) FN_LOCAL_BOOL(lp_use_client_driver, bUseClientDriver) FN_LOCAL_BOOL(lp_default_devmode, bDefaultDevmode) FN_LOCAL_BOOL(lp_nt_acl_support, bNTAclSupport) +FN_LOCAL_BOOL(lp_force_unknown_acl_user, bForceUnknownAclUser) FN_LOCAL_BOOL(lp_ea_support, bEASupport) FN_LOCAL_BOOL(_lp_use_sendfile, bUseSendfile) FN_LOCAL_BOOL(lp_profile_acls, bProfileAcls) diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c index 584164e9309..2d9591e6baa 100644 --- a/source/smbd/posix_acls.c +++ b/source/smbd/posix_acls.c @@ -880,7 +880,7 @@ static mode_t map_nt_perms( SEC_ACCESS sec_access, int type) Unpack a SEC_DESC into a UNIX owner and group. ****************************************************************************/ -static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd) +static BOOL unpack_nt_owners(int snum, SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd) { DOM_SID owner_sid; DOM_SID grp_sid; @@ -910,15 +910,17 @@ static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp, if (security_info_sent & OWNER_SECURITY_INFORMATION) { sid_copy(&owner_sid, psd->owner_sid); if (!NT_STATUS_IS_OK(sid_to_uid(&owner_sid, puser))) { -#if ACL_FORCE_UNMAPPABLE - /* this allows take ownership to work reasonably */ - extern struct current_user current_user; - *puser = current_user.uid; -#else - DEBUG(3,("unpack_nt_owners: unable to validate owner sid for %s\n", - sid_string_static(&owner_sid))); - return False; -#endif + if (lp_force_unknown_acl_user(snum)) { + /* this allows take ownership to work + * reasonably */ + extern struct current_user current_user; + *puser = current_user.uid; + } else { + DEBUG(3,("unpack_nt_owners: unable to validate" + " owner sid for %s\n", + sid_string_static(&owner_sid))); + return False; + } } } @@ -930,14 +932,16 @@ static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp, if (security_info_sent & GROUP_SECURITY_INFORMATION) { sid_copy(&grp_sid, psd->grp_sid); if (!NT_STATUS_IS_OK(sid_to_gid( &grp_sid, pgrp))) { -#if ACL_FORCE_UNMAPPABLE - /* this allows take group ownership to work reasonably */ - extern struct current_user current_user; - *pgrp = current_user.gid; -#else - DEBUG(3,("unpack_nt_owners: unable to validate group sid.\n")); - return False; -#endif + if (lp_force_unknown_acl_user(snum)) { + /* this allows take group ownership to work + * reasonably */ + extern struct current_user current_user; + *pgrp = current_user.gid; + } else { + DEBUG(3,("unpack_nt_owners: unable to validate" + " group sid.\n")); + return False; + } } } @@ -3005,7 +3009,7 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) * Unpack the user/group/world id's. */ - if (!unpack_nt_owners( &sbuf, &user, &grp, security_info_sent, psd)) + if (!unpack_nt_owners( SNUM(conn), &sbuf, &user, &grp, security_info_sent, psd)) return False; /* |