[PATCH] smbcacls revision fix
Neil Bortnak
nbortnak at cisco.com
Thu Jul 29 04:30:06 GMT 2004
Hi everyone,
I started using smbcacls and it worked great for everything except the
set (-S) feature.
After some time spent with the code and a packet sniffer I found that
all of the other functions read in the existing dacl, modify it and
write it back. The set function creates a new one.
The revision number on the dacl that gets read from the server is 2,
while the version number in set's created dacl is 3. I changed the
created dacl to 2 and it works perfectly now.
It may or may not be relevant, but I am using and testing this against a
NetApp Filer, and not a standard NT/2000 system. I also popped in a few
extra snippets of code.
Neil
-------------- next part --------------
--- samba-3.0.5/source/utils/smbcacls.c 2004-07-21 01:28:15.000000000 +0900
+++ samba-3.0.5.new/source/utils/smbcacls.c 2004-07-29 13:03:32.684864224 +0900
@@ -321,7 +321,7 @@
SEC_ACL *new;
SEC_ACE *aces;
if (! *the_acl) {
- (*the_acl) = make_sec_acl(ctx, 3, 1, ace);
+ (*the_acl) = make_sec_acl(ctx, 2, 1, ace);
return True;
}
@@ -591,25 +591,30 @@
if (!sd) return EXIT_PARSE_ERROR;
if (test_args) return EXIT_OK;
- /* The desired access below is the only one I could find that works
- with NT4, W2KP and Samba */
-
- fnum = cli_nt_create(cli, filename, CREATE_ACCESS_READ);
-
- if (fnum == -1) {
- printf("cacl_set failed to open %s: %s\n", filename, cli_errstr(cli));
- return EXIT_FAILED;
- }
-
- old = cli_query_secdesc(cli, fnum, ctx);
-
- if (!old) {
- printf("calc_set: Failed to query old descriptor\n");
- return EXIT_FAILED;
+ /* Skip over a call to the server for old information if we are just going
+ to overwrite it anyway */
+
+ if(mode != SMB_ACL_SET) {
+ /* The desired access below is the only one I could find that works
+ with NT4, W2KP and Samba */
+
+ fnum = cli_nt_create(cli, filename, CREATE_ACCESS_READ);
+
+ if (fnum == -1) {
+ printf("cacl_set failed to open %s: %s\n", filename, cli_errstr(cli));
+ return EXIT_FAILED;
+ }
+
+ old = cli_query_secdesc(cli, fnum, ctx);
+
+ if (!old) {
+ printf("calc_set: Failed to query old descriptor\n");
+ return EXIT_FAILED;
+ }
+
+ cli_close(cli, fnum);
}
- cli_close(cli, fnum);
-
/* the logic here is rather more complex than I would like */
switch (mode) {
case SMB_ACL_DELETE:
@@ -682,6 +687,11 @@
sd = make_sec_desc(ctx,old->revision, old->type, NULL, NULL,
NULL, old->dacl, &sd_size);
+ if(!sd) {
+ printf("cacl_set: unable to make a security descriptor\n");
+ return EXIT_FAILED;
+ }
+
fnum = cli_nt_create(cli, filename, WRITE_DAC_ACCESS);
if (fnum == -1) {
More information about the samba-technical
mailing list