1 files changed, 34 insertions, 59 deletions

diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c
index e6ae1c7d799..cbb28359f94 100644
--- a/source/smbd/posix_acls.c
+++ b/source/smbd/posix_acls.c
@@ -1,5 +1,6 @@
 /*
-   Unix SMB/CIFS implementation.
+   Unix SMB/Netbios implementation.
+   Version 1.9.
    SMB NT Security Descriptor / Unix permission conversion.
    Copyright (C) Jeremy Allison 1994-2000
 
@@ -104,7 +105,7 @@ static void print_canon_ace(canon_ace *pace, int num)
 	dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
 	dbgtext( "SID = %s ", sid_to_string( str, &pace->trustee));
 	if (pace->owner_type == UID_ACE) {
-		const char *u_name = uidtoname(pace->unix_ug.uid);
+		char *u_name = uidtoname(pace->unix_ug.uid);
 		dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name);
 	} else if (pace->owner_type == GID_ACE) {
 		char *g_name = gidtoname(pace->unix_ug.gid);
@@ -408,7 +409,7 @@ static mode_t map_nt_perms( SEC_ACCESS sec_access, int type)
  Unpack a SEC_DESC into a UNIX owner and group.
 ****************************************************************************/
 
-static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd)
+static BOOL unpack_nt_owners( int snum, SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd)
 {
 	DOM_SID owner_sid;
 	DOM_SID grp_sid;
@@ -439,15 +440,15 @@ static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp,
 	if (security_info_sent & OWNER_SECURITY_INFORMATION) {
 		sid_copy(&owner_sid, psd->owner_sid);
 		if (!sid_to_uid( &owner_sid, puser, &sid_type)) {
-#if ACL_FORCE_UNMAPPABLE
-			/* this allows take ownership to work reasonably */
-			extern struct current_user current_user;
-			*puser = current_user.uid;
-#else
-			DEBUG(3,("unpack_nt_owners: unable to validate owner sid for %s\n",
-				 sid_string_static(&owner_sid)));
-			return False;
-#endif
+			if (lp_force_unknown_acl_user(snum)) {
+				/* this allows take ownership to work reasonably */
+				extern struct current_user current_user;
+				*puser = current_user.uid;
+			} else {
+				DEBUG(3,("unpack_nt_owners: unable to validate owner sid for %s.\n",
+					sid_string_static(&owner_sid)));
+				return False;
+			}
 		}
  	}
 
@@ -459,14 +460,14 @@ static BOOL unpack_nt_owners(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp,
 	if (security_info_sent & GROUP_SECURITY_INFORMATION) {
 		sid_copy(&grp_sid, psd->grp_sid);
 		if (!sid_to_gid( &grp_sid, pgrp, &sid_type)) {
-#if ACL_FORCE_UNMAPPABLE
-			/* this allows take group ownership to work reasonably */
-			extern struct current_user current_user;
-			*pgrp = current_user.gid;
-#else
-			DEBUG(3,("unpack_nt_owners: unable to validate group sid.\n"));
-			return False;
-#endif
+			if (lp_force_unknown_acl_user(snum)) {
+				/* this allows take group ownership to work reasonably */
+				extern struct current_user current_user;
+				*pgrp = current_user.gid;
+			} else {
+				DEBUG(3,("unpack_nt_owners: unable to validate group sid.\n"));
+				return False;
+			}
 		}
 	}
 
@@ -1751,14 +1752,14 @@ static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL defau
 	 */
 
 	if(default_ace || fsp->is_directory || fsp->fd == -1) {
-		if (conn->vfs_ops.sys_acl_set_file(conn, fsp->fsp_name, the_acl_type, the_acl) == -1) {
+		if (conn->vfs_ops.sys_acl_set_file(conn, dos_to_unix_static(fsp->fsp_name), the_acl_type, the_acl) == -1) {
 			/*
 			 * Some systems allow all the above calls and only fail with no ACL support
 			 * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
 			 */
 			if (errno == ENOSYS)
 				*pacl_set_support = False;
-			DEBUG(2,("set_canon_ace_list: sys_acl_set_file type %s failed for file %s (%s).\n",
+			DEBUG(2,("set_canon_ace_list: conn->vfs_ops.sys_acl_set_file type %s failed for file %s (%s).\n",
 					the_acl_type == SMB_ACL_TYPE_DEFAULT ? "directory default" : "file",
 					fsp->fsp_name, strerror(errno) ));
 			goto done;
@@ -1771,7 +1772,7 @@ static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL defau
 			 */
 			if (errno == ENOSYS)
 				*pacl_set_support = False;
-			DEBUG(2,("set_canon_ace_list: sys_acl_set_file failed for file %s (%s).\n",
+			DEBUG(2,("set_canon_ace_list: conn->vfs_ops.sys_acl_set_file failed for file %s (%s).\n",
 					fsp->fsp_name, strerror(errno) ));
 			goto done;
 		}
@@ -1881,8 +1882,6 @@ static int nt_ace_comp( SEC_ACE *a1, SEC_ACE *a2)
 
 size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 {
-	extern DOM_SID global_sid_Builtin_Administrators;
-	extern DOM_SID global_sid_Builtin_Users;
 	connection_struct *conn = fsp->conn;
 	SMB_STRUCT_STAT sbuf;
 	SEC_ACE *nt_ace_list = NULL;
@@ -1897,7 +1896,6 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 	SMB_ACL_T dir_acl = NULL;
 	canon_ace *file_ace = NULL;
 	canon_ace *dir_ace = NULL;
-	size_t num_profile_acls = 0;
  
 	*ppdesc = NULL;
 
@@ -1913,14 +1911,14 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 		 * Get the ACL from the path.
 		 */
 
-		posix_acl = conn->vfs_ops.sys_acl_get_file(conn, fsp->fsp_name, SMB_ACL_TYPE_ACCESS);
+		posix_acl = conn->vfs_ops.sys_acl_get_file( conn, dos_to_unix_static(fsp->fsp_name), SMB_ACL_TYPE_ACCESS);
 
 		/*
 		 * If it's a directory get the default POSIX ACL.
 		 */
 
 		if(fsp->is_directory)
-			dir_acl = conn->vfs_ops.sys_acl_get_file(conn, fsp->fsp_name, SMB_ACL_TYPE_DEFAULT);
+			dir_acl = conn->vfs_ops.sys_acl_get_file( conn, dos_to_unix_static(fsp->fsp_name), SMB_ACL_TYPE_DEFAULT);
 
 	} else {
 
@@ -1942,14 +1940,7 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 	 * Get the owner, group and world SIDs.
 	 */
 
-	if (lp_profile_acls(SNUM(fsp->conn))) {
-		/* For WXP SP1 the owner must be administrators. */
-		sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
-		sid_copy(&group_sid, &global_sid_Builtin_Users);
-		num_profile_acls = 2;
-	} else {
-		create_file_sids(&sbuf, &owner_sid, &group_sid);
-	}
+	create_file_sids(&sbuf, &owner_sid, &group_sid);
 
 	/* Create the canon_ace lists. */
 	file_ace = canonicalise_acl( fsp, posix_acl, &sbuf,  &owner_sid, &group_sid);
@@ -1973,7 +1964,7 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 	}
 
 	/* Allocate the ace list. */
-	if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_profile_acls + num_dir_acls)* sizeof(SEC_ACE))) == NULL) {
+	if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_dir_acls)* sizeof(SEC_ACE))) == NULL) {
 		DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
 		goto done;
 	}
@@ -1996,13 +1987,6 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 			init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc, 0);
 		}
 
-		/* The User must have access to a profile share - even if we can't map the SID. */
-		if (lp_profile_acls(SNUM(fsp->conn))) {
-			SEC_ACCESS acc;
-			init_sec_access(&acc,FILE_GENERIC_ALL);
-			init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc, 0);
-		}
-
 		ace = dir_ace;
 
 		for (i = 0; i < num_dir_acls; i++, ace = ace->next) {
@@ -2011,15 +1995,6 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 					SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
 		}
 
-		/* The User must have access to a profile share - even if we can't map the SID. */
-		if (lp_profile_acls(SNUM(fsp->conn))) {
-			SEC_ACCESS acc;
-			init_sec_access(&acc,FILE_GENERIC_ALL);
-			init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc,
-					SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
-					SEC_ACE_FLAG_INHERIT_ONLY);
-		}
-
 		/*
 		 * Sort to force deny entries to the front.
 		 */
@@ -2145,7 +2120,7 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
 	 * Unpack the user/group/world id's.
 	 */
 
-	if (!unpack_nt_owners( &sbuf, &user, &grp, security_info_sent, psd))
+	if (!unpack_nt_owners( SNUM(conn), &sbuf, &user, &grp, security_info_sent, psd))
 		return False;
 
 	/*
@@ -2199,7 +2174,7 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
 	if ((file_ace_list == NULL) && (dir_ace_list == NULL)) {
 		/* W2K traverse DACL set - ignore. */
 		return True;
-    }
+	}
 
 	if (!acl_perms) {
 		DEBUG(3,("set_nt_acl: cannot set permissions\n"));
@@ -2246,8 +2221,8 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
 				 * No default ACL - delete one if it exists.
 				 */
 
-				if (conn->vfs_ops.sys_acl_delete_def_file(conn, fsp->fsp_name) == -1) {
-					DEBUG(3,("set_nt_acl: sys_acl_delete_def_file failed (%s)\n", strerror(errno)));
+				if (conn->vfs_ops.sys_acl_delete_def_file(conn, dos_to_unix_static(fsp->fsp_name)) == -1) {
+					DEBUG(3,("set_nt_acl: conn->vfs_ops.sys_acl_delete_def_file failed (%s)\n", strerror(errno)));
 					free_canon_ace_list(file_ace_list);
 					return False;
 				}
@@ -2274,7 +2249,7 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
 				DEBUG(3,("set_nt_acl: chmod %s. perms = 0%o.\n",
 					fsp->fsp_name, (unsigned int)posix_perms ));
 
-				if(conn->vfs_ops.chmod(conn,fsp->fsp_name, posix_perms) == -1) {
+				if(conn->vfs_ops.chmod(conn,dos_to_unix_static(fsp->fsp_name), posix_perms) == -1) {
 					DEBUG(3,("set_nt_acl: chmod %s, 0%o failed. Error = %s.\n",
 							fsp->fsp_name, (unsigned int)posix_perms, strerror(errno) ));
 					free_canon_ace_list(file_ace_list);
@@ -2322,7 +2297,7 @@ static int chmod_acl_internals( connection_struct *conn, SMB_ACL_T posix_acl, mo
 		switch(tagtype) {
 			case SMB_ACL_USER_OBJ:
 				perms = unix_perms_to_acl_perms(mode, S_IRUSR, S_IWUSR, S_IXUSR);
-				break;
+                break;
 			case SMB_ACL_GROUP_OBJ:
 				perms = unix_perms_to_acl_perms(mode, S_IRGRP, S_IWGRP, S_IXGRP);
 				break;