s3:smbd: ease file server upgrades from 3.6 and earlier with "acl allow execute aways"

3.6 and earlier allowed open for execution when execute permissions are
not present on a file. This has been fixed in Samba 4.0.

This patch changes smbd to skip the execute bit from the ACL check
in the open code if "acl allow execute always = yes", hence
re-establishing the old behaviour in this case.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

source3/smbd/open.c

@@ -76,6 +76,7 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
 	struct security_descriptor *sd = NULL;
 	uint32_t rejected_share_access;
 	uint32_t rejected_mask = access_mask;
+	uint32_t do_not_check_mask = 0;
 
 	rejected_share_access = access_mask & ~(conn->share_access);
 
@@ -143,10 +144,23 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
 	 * se_file_access_check() also takes care of
 	 * owner WRITE_DAC and READ_CONTROL.
 	 */
+	do_not_check_mask = FILE_READ_ATTRIBUTES;
+
+	/*
+	 * Samba 3.6 and earlier granted execute access even
+	 * if the ACL did not contain execute rights.
+	 * Samba 4.0 is more correct and checks it.
+	 * The compatibilty mode allows to skip this check
+	 * to smoothen upgrades.
+	 */
+	if (lp_acl_allow_execute_always(SNUM(conn))) {
+		do_not_check_mask |= FILE_EXECUTE;
+	}
+
 	status = se_file_access_check(sd,
 				get_current_nttok(conn),
 				use_privs,
-				(access_mask & ~FILE_READ_ATTRIBUTES),
+				(access_mask & ~do_not_check_mask),
 				&rejected_mask);
 
 	DEBUG(10,("smbd_check_access_rights: file %s requesting "