mirror of
https://github.com/samba-team/samba.git
synced 2024-12-27 03:21:53 +03:00
s3:smbd: fix posix acls when setting an ACL without explicit ACE for the owner (bug#2346)
The problem of bug #2346 remains for users exported by winbindd, because create_token_from_username() just fakes the token when the user is not in the local sam domain. This causes user_in_group_sid() to give totally wrong results. In uid_entry_in_group() we need to check if we already have the full unix token in the current_user struct. If so we should use the current_user unix token, instead of doing a very complex user_in_group_sid() which doesn't give reliable results anyway. metze
This commit is contained in:
parent
7d6e4c7e95
commit
b79eff843b
@ -1273,16 +1273,31 @@ static bool uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace )
|
|||||||
if (sid_equal(&group_ace->trustee, &global_sid_World))
|
if (sid_equal(&group_ace->trustee, &global_sid_World))
|
||||||
return True;
|
return True;
|
||||||
|
|
||||||
/* Assume that the current user is in the current group (force group) */
|
/*
|
||||||
|
* if it's the current user, we already have the unix token
|
||||||
|
* and don't need to do the complex user_in_group_sid() call
|
||||||
|
*/
|
||||||
|
if (uid_ace->unix_ug.uid == current_user.ut.uid) {
|
||||||
|
size_t i;
|
||||||
|
|
||||||
if (uid_ace->unix_ug.uid == current_user.ut.uid && group_ace->unix_ug.gid == current_user.ut.gid)
|
if (group_ace->unix_ug.gid == current_user.ut.gid) {
|
||||||
return True;
|
return True;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i=0; i < current_user.ut.ngroups; i++) {
|
||||||
|
if (group_ace->unix_ug.gid == current_user.ut.groups[i]) {
|
||||||
|
return True;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* u_name talloc'ed off tos. */
|
/* u_name talloc'ed off tos. */
|
||||||
u_name = uidtoname(uid_ace->unix_ug.uid);
|
u_name = uidtoname(uid_ace->unix_ug.uid);
|
||||||
if (!u_name) {
|
if (!u_name) {
|
||||||
return False;
|
return False;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* notice that this is not reliable for users exported by winbindd! */
|
||||||
return user_in_group_sid(u_name, &group_ace->trustee);
|
return user_in_group_sid(u_name, &group_ace->trustee);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user