1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00

s3:smbd: don't apply create/directory mask and modes in apply_default_perms()

The mask/mode parameters should only apply to a situation with only
pure posix permissions.
Once we are dealing with ACLs and inheritance, we need to do it correctly.

This fixes bug #9462: Users can not be given write permissions any more by default

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Michael Adam 2012-12-05 15:04:01 +01:00 committed by Jeremy Allison
parent 943797c232
commit 2013bb9b4d

View File

@ -1236,48 +1236,19 @@ NTSTATUS unpack_nt_owners(struct connection_struct *conn,
return NT_STATUS_OK;
}
/****************************************************************************
Ensure the enforced permissions for this share apply.
****************************************************************************/
static void apply_default_perms(const struct share_params *params,
const bool is_directory, canon_ace *pace,
mode_t type)
static void trim_ace_perms(canon_ace *pace)
{
mode_t and_bits = (mode_t)0;
mode_t or_bits = (mode_t)0;
/* Get the initial bits to apply. */
pace->perms = pace->perms & (S_IXUSR|S_IWUSR|S_IRUSR);
}
static void ensure_minimal_owner_ace_perms(const bool is_directory,
canon_ace *pace)
{
pace->perms |= S_IRUSR;
if (is_directory) {
and_bits = lp_dir_mask(params->service);
or_bits = lp_force_dir_mode(params->service);
} else {
and_bits = lp_create_mask(params->service);
or_bits = lp_force_create_mode(params->service);
pace->perms |= (S_IWUSR|S_IXUSR);
}
/* Now bounce them into the S_USR space. */
switch(type) {
case S_IRUSR:
/* Ensure owner has read access. */
pace->perms |= S_IRUSR;
if (is_directory)
pace->perms |= (S_IWUSR|S_IXUSR);
and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
break;
case S_IRGRP:
and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
break;
case S_IROTH:
and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
break;
}
pace->perms = ((pace->perms & and_bits)|or_bits);
}
/****************************************************************************
@ -1430,45 +1401,14 @@ static bool ensure_canon_entry_valid_on_set(connection_struct *conn,
bool got_duplicate_group = false;
for (pace = *pp_ace; pace; pace = pace->next) {
trim_ace_perms(pace);
if (pace->type == SMB_ACL_USER_OBJ) {
/*
* Ensure we have default parameters for the
* user (owner) even on default ACLs.
*/
apply_default_perms(params, is_directory, pace, S_IRUSR);
ensure_minimal_owner_ace_perms(is_directory, pace);
pace_user = pace;
} else if (pace->type == SMB_ACL_GROUP_OBJ) {
/*
* Ensure create mask/force create mode is respected on set.
*/
if (!is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IRGRP);
}
pace_group = pace;
} else if (pace->type == SMB_ACL_OTHER) {
/*
* Ensure create mask/force create mode is respected on set.
*/
if (!is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IROTH);
}
pace_other = pace;
} else if (pace->type == SMB_ACL_USER || pace->type == SMB_ACL_GROUP) {
/*
* Ensure create mask/force create mode is respected on set.
*/
if (!is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IRGRP);
}
}
}
@ -1520,7 +1460,7 @@ static bool ensure_canon_entry_valid_on_set(connection_struct *conn,
* Ensure we have default parameters for the
* user (owner) even on default ACLs.
*/
apply_default_perms(params, is_directory, pace, S_IRUSR);
ensure_minimal_owner_ace_perms(is_directory, pace);
DLIST_ADD(*pp_ace, pace);
pace_user = pace;
@ -1546,9 +1486,6 @@ static bool ensure_canon_entry_valid_on_set(connection_struct *conn,
} else {
pace->perms = 0;
}
if (!is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IRGRP);
}
DLIST_ADD(*pp_ace, pace);
pace_group = pace;
@ -1568,9 +1505,6 @@ static bool ensure_canon_entry_valid_on_set(connection_struct *conn,
pace->trustee = global_sid_World;
pace->attr = ALLOW_ACE;
pace->perms = 0;
if (!is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IROTH);
}
DLIST_ADD(*pp_ace, pace);
pace_other = pace;