For the vfs_acl_xattr.c module, make sure we map GENERIC file and directory bits

to specific bits every time a security descriptor is set. The S4 torture suite proves
that generic bits are not returned when querying an ACL set using them (ie. only
the specific bits are stored on disk).
Jeremy.

2 files changed, 9 insertions, 0 deletions

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 584399c86c9..061855876ce 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -713,6 +713,7 @@ static void do_nt_transact_create_pipe(connection_struct *conn,
 static NTSTATUS set_sd(files_struct *fsp, uint8 *data, uint32 sd_len,
 		       uint32 security_info_sent)
 {
+	extern const struct generic_mapping file_generic_mapping;
 	SEC_DESC *psd = NULL;
 	NTSTATUS status;
 
@@ -739,6 +740,10 @@ static NTSTATUS set_sd(files_struct *fsp, uint8 *data, uint32 sd_len,
 		security_info_sent &= ~DACL_SECURITY_INFORMATION;
 	}
 
+	/* Convert all the generic bits. */
+	security_acl_map_generic(psd->dacl, &file_generic_mapping);
+	security_acl_map_generic(psd->sacl, &file_generic_mapping);
+
 	status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, psd);
 
 	TALLOC_FREE(psd);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index ad024a58efa..8727e80d5f7 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -2764,6 +2764,10 @@ NTSTATUS create_file_unixpath(connection_struct *conn,
 
 		fsp->access_mask = FILE_GENERIC_ALL;
 
+		/* Convert all the generic bits. */
+		security_acl_map_generic(sd->dacl, &file_generic_mapping);
+		security_acl_map_generic(sd->sacl, &file_generic_mapping);
+
 		status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd);
 
 		fsp->access_mask = saved_access_mask;