mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
Patch from SATOH Fumiyasu <fumiyas@osstech.co.jp> for bug #5202. Re-activate "acl group control"
parameter and make it only apply to owning group. Also added man page fix.
Jeremy.
(This used to be commit e98e080bad
)
This commit is contained in:
parent
b611fd9550
commit
1fb1c67fb9
@ -3,15 +3,16 @@
|
||||
type="boolean"
|
||||
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
||||
<description>
|
||||
<para> The default behavior in Samba is to provide
|
||||
UNIX-like behavior where only the owner of a file/directory is
|
||||
<para> The default behavior in Samba is to provide
|
||||
UNIX-like behavior where only the owner of a file/directory is
|
||||
able to change the permissions on it. However, this behavior
|
||||
is often confusing to DOS/Windows users. Enabling this parameter
|
||||
allows a user who has write access to the file (by whatever
|
||||
means) to modify the permissions (including ACL) on it. Note that a user
|
||||
belonging to the group owning the file will not be allowed to
|
||||
change permissions if the group is only granted read access.
|
||||
Ownership of the file/directory may also be changed.</para>
|
||||
is often confusing to DOS/Windows users. Enabling this parameter
|
||||
allows a user who has write access to the file (by whatever
|
||||
means, including an ACL permission) to modify the permissions
|
||||
(including ACL) on it. Note that a user belonging to the group
|
||||
owning the file will not be allowed to change permissions if
|
||||
the group is only granted read access. Ownership of the
|
||||
file/directory may also be changed.</para>
|
||||
</description>
|
||||
<value type="default">no</value>
|
||||
</samba:parameter>
|
||||
|
@ -30,8 +30,10 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This is parameter has been marked deprecated in Samba 3.0.23. The same behavior is now
|
||||
implemented by the <parameter moreinfo="none">dos filemode</parameter> option.
|
||||
This is parameter has been was deprecated in Samba 3.0.23, but re-activated in
|
||||
Samba 3.0.31 and above, as it now only controls permission changes if the user
|
||||
is in the owning primary group. It is now no longer equivalent to the
|
||||
<parameter moreinfo="none">dos filemode</parameter> option.
|
||||
</para>
|
||||
|
||||
</description>
|
||||
|
@ -1507,7 +1507,7 @@ static struct parm_struct parm_table[] = {
|
||||
.ptr = &sDefault.bAclGroupControl,
|
||||
.special = NULL,
|
||||
.enum_list = NULL,
|
||||
.flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE | FLAG_DEPRECATED,
|
||||
.flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
|
||||
},
|
||||
{
|
||||
.label = "acl map full control",
|
||||
|
@ -2362,20 +2362,32 @@ static bool current_user_in_group(gid_t gid)
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
Should we override a deny ? Check deprecated 'acl group control'
|
||||
and 'dos filemode'
|
||||
Should we override a deny ? Check 'acl group control' and 'dos filemode'.
|
||||
****************************************************************************/
|
||||
|
||||
static bool acl_group_override(connection_struct *conn, gid_t prim_gid)
|
||||
static bool acl_group_override(connection_struct *conn,
|
||||
gid_t prim_gid,
|
||||
const char *fname)
|
||||
{
|
||||
if ( (errno == EACCES || errno == EPERM)
|
||||
&& (lp_acl_group_control(SNUM(conn)) || lp_dos_filemode(SNUM(conn)))
|
||||
&& current_user_in_group(prim_gid))
|
||||
{
|
||||
return True;
|
||||
}
|
||||
SMB_STRUCT_STAT sbuf;
|
||||
|
||||
return False;
|
||||
if ((errno != EPERM) && (errno != EACCES)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
/* file primary group == user primary or supplementary group */
|
||||
if (lp_acl_group_control(SNUM(conn)) &&
|
||||
current_user_in_group(prim_gid)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
/* user has writeable permission */
|
||||
if (lp_dos_filemode(SNUM(conn)) &&
|
||||
can_write_to_file(conn, fname, &sbuf)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
@ -2561,7 +2573,7 @@ static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool defau
|
||||
*pacl_set_support = False;
|
||||
}
|
||||
|
||||
if (acl_group_override(conn, prim_gid)) {
|
||||
if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
|
||||
int sret;
|
||||
|
||||
DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
|
||||
@ -2592,7 +2604,7 @@ static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool defau
|
||||
*pacl_set_support = False;
|
||||
}
|
||||
|
||||
if (acl_group_override(conn, prim_gid)) {
|
||||
if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
|
||||
int sret;
|
||||
|
||||
DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
|
||||
@ -3570,7 +3582,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
|
||||
if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name) == -1) {
|
||||
int sret = -1;
|
||||
|
||||
if (acl_group_override(conn, sbuf.st_gid)) {
|
||||
if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {
|
||||
DEBUG(5,("set_nt_acl: acl group control on and "
|
||||
"current user in file %s primary group. Override delete_def_acl\n",
|
||||
fsp->fsp_name ));
|
||||
@ -3617,7 +3629,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
|
||||
|
||||
if(SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms) == -1) {
|
||||
int sret = -1;
|
||||
if (acl_group_override(conn, sbuf.st_gid)) {
|
||||
if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {
|
||||
DEBUG(5,("set_nt_acl: acl group control on and "
|
||||
"current user in file %s primary group. Override chmod\n",
|
||||
fsp->fsp_name ));
|
||||
|
Loading…
Reference in New Issue
Block a user