Made "security XXX" masks always apply to ACL sets. By default they have

no effect.
Jeremy.

3 files changed, 31 insertions, 87 deletions

diff --git a/source/include/proto.h b/source/include/proto.h
index 30763a26350..8a55b47f819 100644
--- a/source/include/proto.h
+++ b/source/include/proto.h
@@ -1855,15 +1855,14 @@ BOOL lp_dos_filetime_resolution(int );
 BOOL lp_fake_dir_create_times(int );
 BOOL lp_blocking_locks(int );
 BOOL lp_inherit_perms(int );
-BOOL lp_restrict_acl_with_mask(int );
 int lp_create_mask(int );
 int lp_force_create_mode(int );
-int _lp_security_mask(int );
-int _lp_force_security_mode(int );
+int lp_security_mask(int );
+int lp_force_security_mode(int );
 int lp_dir_mask(int );
 int lp_force_dir_mode(int );
-int _lp_dir_security_mask(int );
-int _lp_force_dir_security_mode(int );
+int lp_dir_security_mask(int );
+int lp_force_dir_security_mode(int );
 int lp_max_connections(int );
 int lp_defaultcase(int );
 int lp_minprintspace(int );
@@ -1905,10 +1904,6 @@ int lp_default_server_announce(void);
 int lp_major_announce_version(void);
 int lp_minor_announce_version(void);
 void lp_set_name_resolve_order(char *new_order);
-int lp_security_mask(int snum);
-int lp_force_security_mode(int snum);
-int lp_dir_security_mask(int snum);
-int lp_force_dir_security_mode(int snum);
 char *lp_printername(int snum);
 
 /*The following definitions come from  param/params.c  */
diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index c8814568a66..bb7413b8e95 100644
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -388,7 +388,6 @@ typedef struct
 	BOOL bBlockingLocks;
 	BOOL bInheritPerms;
 	BOOL bMSDfsRoot;
-	BOOL bRestrictAclWithMask;
 
 	char dummy[3];		/* for alignment */
 }
@@ -447,12 +446,12 @@ static service sDefault = {
 	0,			/* iWriteCacheSize */
 	0744,			/* iCreate_mask */
 	0000,			/* iCreate_force_mode */
-	-1,			/* iSecurity_mask */
-	-1,			/* iSecurity_force_mode */
+	0777,			/* iSecurity_mask */
+	0,			/* iSecurity_force_mode */
 	0755,			/* iDir_mask */
 	0000,			/* iDir_force_mode */
-	-1,			/* iDir_Security_mask */
-	-1,			/* iDir_Security_force_mode */
+	777,			/* iDir_Security_mask */
+	0,			/* iDir_Security_force_mode */
 	0,			/* iMaxConnections */
 	CASE_LOWER,		/* iDefaultCase */
 	DEFAULT_PRINTING,	/* iPrinting */
@@ -502,7 +501,6 @@ static service sDefault = {
 	True,			/* bBlockingLocks */
 	False,			/* bInheritPerms */
 	False,			/* bMSDfsRoot */
-	False,			/* bRestrictAclWithMask */
 
 	""			/* dummy */
 };
@@ -787,7 +785,6 @@ static struct parm_struct parm_table[] = {
 	{"nt smb support", P_BOOL, P_GLOBAL, &Globals.bNTSmbSupport, NULL, NULL, 0},
 	{"nt pipe support", P_BOOL, P_GLOBAL, &Globals.bNTPipeSupport, NULL, NULL, 0},
 	{"nt acl support", P_BOOL, P_GLOBAL, &Globals.bNTAclSupport, NULL, NULL, 0},
-	{"restrict acl with mask", P_BOOL, P_LOCAL, &sDefault.bRestrictAclWithMask, NULL, NULL, FLAG_SHARE},
 	{"announce version", P_STRING, P_GLOBAL, &Globals.szAnnounceVersion, NULL, NULL, 0},
 	{"announce as", P_ENUM, P_GLOBAL, &Globals.announce_as, NULL, enum_announce_as, 0},
 	{"max mux", P_INTEGER, P_GLOBAL, &Globals.max_mux, NULL, NULL, 0},
@@ -1655,15 +1652,14 @@ FN_LOCAL_BOOL(lp_dos_filetime_resolution, bDosFiletimeResolution)
 FN_LOCAL_BOOL(lp_fake_dir_create_times, bFakeDirCreateTimes)
 FN_LOCAL_BOOL(lp_blocking_locks, bBlockingLocks)
 FN_LOCAL_BOOL(lp_inherit_perms, bInheritPerms)
-FN_LOCAL_BOOL(lp_restrict_acl_with_mask, bRestrictAclWithMask)
 FN_LOCAL_INTEGER(lp_create_mask, iCreate_mask)
 FN_LOCAL_INTEGER(lp_force_create_mode, iCreate_force_mode)
-FN_LOCAL_INTEGER(_lp_security_mask, iSecurity_mask)
-FN_LOCAL_INTEGER(_lp_force_security_mode, iSecurity_force_mode)
+FN_LOCAL_INTEGER(lp_security_mask, iSecurity_mask)
+FN_LOCAL_INTEGER(lp_force_security_mode, iSecurity_force_mode)
 FN_LOCAL_INTEGER(lp_dir_mask, iDir_mask)
 FN_LOCAL_INTEGER(lp_force_dir_mode, iDir_force_mode)
-FN_LOCAL_INTEGER(_lp_dir_security_mask, iDir_Security_mask)
-FN_LOCAL_INTEGER(_lp_force_dir_security_mode, iDir_Security_force_mode)
+FN_LOCAL_INTEGER(lp_dir_security_mask, iDir_Security_mask)
+FN_LOCAL_INTEGER(lp_force_dir_security_mode, iDir_Security_force_mode)
 FN_LOCAL_INTEGER(lp_max_connections, iMaxConnections)
 FN_LOCAL_INTEGER(lp_defaultcase, iDefaultCase)
 FN_LOCAL_INTEGER(lp_minprintspace, iMinPrintSpace)
@@ -3589,43 +3585,6 @@ void lp_set_name_resolve_order(char *new_order)
 	Globals.szNameResolveOrder = new_order;
 }
 
-/***********************************************************
- Functions to return the current security masks/modes. If
- set to -1 then return the create mask/mode instead.
-************************************************************/
-
-int lp_security_mask(int snum)
-{
-	int val = _lp_security_mask(snum);
-	if (val == -1)
-		return lp_create_mask(snum);
-	return val;
-}
-
-int lp_force_security_mode(int snum)
-{
-	int val = _lp_force_security_mode(snum);
-	if (val == -1)
-		return lp_force_create_mode(snum);
-	return val;
-}
-
-int lp_dir_security_mask(int snum)
-{
-	int val = _lp_dir_security_mask(snum);
-	if (val == -1)
-		return lp_dir_mask(snum);
-	return val;
-}
-
-int lp_force_dir_security_mode(int snum)
-{
-	int val = _lp_force_dir_security_mode(snum);
-	if (val == -1)
-		return lp_force_dir_mode(snum);
-	return val;
-}
-
 char *lp_printername(int snum)
 {
 	char *ret = _lp_printername(snum);
diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c
index 0d020a8ebbe..53729a6f5db 100644
--- a/source/smbd/posix_acls.c
+++ b/source/smbd/posix_acls.c
@@ -468,17 +468,14 @@ static mode_t apply_default_perms(files_struct *fsp, mode_t perms, mode_t type)
 	mode_t and_bits = (mode_t)0;
 	mode_t or_bits = (mode_t)0;
 
-	if (!lp_restrict_acl_with_mask(snum))
-		return perms;
-
 	/* Get the initial bits to apply. */
 
 	if (fsp->is_directory) {
-		and_bits = lp_dir_mask(snum);
-		or_bits = lp_force_dir_mode(snum);
+		and_bits = lp_dir_security_mask(snum);
+		or_bits = lp_force_dir_security_mode(snum);
 	} else {
-		and_bits = lp_create_mask(snum);
-		or_bits = lp_force_create_mode(snum);
+		and_bits = lp_security_mask(snum);
+		or_bits = lp_force_security_mode(snum);
 	}
 
 	/* Now bounce them into the S_USR space. */	
@@ -1174,20 +1171,17 @@ static mode_t create_default_mode(files_struct *fsp, BOOL interitable_mode)
 	if (fsp->is_directory)
 		mode |= (S_IWUSR|S_IXUSR);
 
-	if (!lp_restrict_acl_with_mask(snum))
-		return mode;
-
 	/*
 	 * Now AND with the create mode/directory mode bits then OR with the
 	 * force create mode/force directory mode bits.
 	 */
 
 	if (fsp->is_directory) {
-		and_bits = lp_dir_mask(snum);
-		or_bits = lp_force_dir_mode(snum);
+		and_bits = lp_dir_security_mask(snum);
+		or_bits = lp_force_dir_security_mode(snum);
 	} else {
-		and_bits = lp_create_mask(snum);
-		or_bits = lp_force_create_mode(snum);
+		and_bits = lp_security_mask(snum);
+		or_bits = lp_force_security_mode(snum);
 	}
 
 	return ((mode & and_bits)|or_bits);
@@ -1703,6 +1697,8 @@ static BOOL convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file
 	canon_ace *owner_ace = NULL;
 	canon_ace *group_ace = NULL;
 	canon_ace *other_ace = NULL;
+	mode_t and_bits;
+	mode_t or_bits;
 
 	if (ace_count != 3) {
 		DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE entries for file %s to convert to \
@@ -1743,24 +1739,18 @@ posix perms.\n", fsp->fsp_name ));
 
 	/* If requested apply the masks. */
 
-	if (lp_restrict_acl_with_mask(snum)) {
-		mode_t and_bits;
-		mode_t or_bits;
-
-		/* Get the initial bits to apply. */
-
-		if (fsp->is_directory) {
-			and_bits = lp_dir_mask(snum);
-			or_bits = lp_force_dir_mode(snum);
-		} else {
-			and_bits = lp_create_mask(snum);
-			or_bits = lp_force_create_mode(snum);
-		}
-
-		*posix_perms = (((*posix_perms) & and_bits)|or_bits);
+	/* Get the initial bits to apply. */
 
+	if (fsp->is_directory) {
+		and_bits = lp_dir_security_mask(snum);
+		or_bits = lp_force_dir_security_mode(snum);
+	} else {
+		and_bits = lp_security_mask(snum);
+		or_bits = lp_force_security_mode(snum);
 	}
 
+	*posix_perms = (((*posix_perms) & and_bits)|or_bits);
+
 	DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o to perm=0%o for file %s.\n",
 		(int)owner_ace->perms, (int)group_ace->perms, (int)other_ace->perms, (int)*posix_perms,
 		fsp->fsp_name ));