svn commit: samba r4464 - in branches/SAMBA_4_0/source/ntvfs/posix: .

Sat Jan 1 04:25:46 GMT 2005

Author: tridge
Date: 2005-01-01 04:25:46 +0000 (Sat, 01 Jan 2005)
New Revision: 4464

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=4464

Log:
added pvfs backend support for the special CREATOR_OWNER and CREATOR_GROUP inheritance rules


Modified:
   branches/SAMBA_4_0/source/ntvfs/posix/pvfs_acl.c
   branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.c
   branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.h


Changeset:
Modified: branches/SAMBA_4_0/source/ntvfs/posix/pvfs_acl.c
===================================================================

--- branches/SAMBA_4_0/source/ntvfs/posix/pvfs_acl.c	2005-01-01 03:46:55 UTC (rev 4463)
+++ branches/SAMBA_4_0/source/ntvfs/posix/pvfs_acl.c	2005-01-01 04:25:46 UTC (rev 4464)
@@ -470,11 +470,15 @@
 	for (i=0;i<parent_sd->dacl->num_aces;i++) {
 		struct security_ace ace = parent_sd->dacl->aces[i];
 		NTSTATUS status;
+		const struct dom_sid *creator = NULL, *new_id = NULL;
+		uint32_t orig_flags;
 
 		if (!pvfs_inheritable_ace(pvfs, &ace, container)) {
 			continue;
 		}
 
+		orig_flags = ace.flags;
+
 		/* see the RAW-ACLS inheritance test for details on these rules */
 		if (!container) {
 			ace.flags = 0;
@@ -489,7 +493,39 @@
 			}
 		}
 
-		status = security_descriptor_dacl_add(sd, &ace);
+		/* the CREATOR sids are special when inherited */
+		if (dom_sid_equal(&ace.trustee, pvfs->sid_cache.creator_owner)) {
+			creator = pvfs->sid_cache.creator_owner;
+			new_id = sd->owner_sid;
+		} else if (dom_sid_equal(&ace.trustee, pvfs->sid_cache.creator_group)) {
+			creator = pvfs->sid_cache.creator_group;
+			new_id = sd->group_sid;
+		} else {
+			new_id = &ace.trustee;
+		}
+
+		if (creator && container && 
+		    (ace.flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
+			uint32_t flags = ace.flags;
+
+			ace.trustee = *new_id;
+			ace.flags = 0;
+			status = security_descriptor_dacl_add(sd, &ace);
+			if (!NT_STATUS_IS_OK(status)) {
+				return status;
+			}
+
+			ace.trustee = *creator;
+			ace.flags = flags | SEC_ACE_FLAG_INHERIT_ONLY;
+			status = security_descriptor_dacl_add(sd, &ace);
+		} else if (container && 
+			   !(orig_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) {
+			status = security_descriptor_dacl_add(sd, &ace);
+		} else {
+			ace.trustee = *new_id;
+			status = security_descriptor_dacl_add(sd, &ace);
+		}
+
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}

Modified: branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.c
===================================================================
--- branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.c	2005-01-01 03:46:55 UTC (rev 4463)
+++ branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.c	2005-01-01 04:25:46 UTC (rev 4464)
@@ -26,6 +26,7 @@
 
 #include "includes.h"
 #include "vfs_posix.h"
+#include "librpc/gen_ndr/ndr_security.h"
 
 
 /*
@@ -82,6 +83,9 @@
 	if (pvfs->flags & PVFS_FLAG_XATTR_ENABLE) {
 		pvfs->fs_attribs |= FS_ATTR_PERSISTANT_ACLS;
 	}
+
+	pvfs->sid_cache.creator_owner = dom_sid_parse_talloc(pvfs, SID_CREATOR_OWNER);
+	pvfs->sid_cache.creator_group = dom_sid_parse_talloc(pvfs, SID_CREATOR_GROUP);
 }
 
 

Modified: branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.h
===================================================================
--- branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.h	2005-01-01 03:46:55 UTC (rev 4463)
+++ branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.h	2005-01-01 04:25:46 UTC (rev 4464)
@@ -60,6 +60,12 @@
 
 	/* if posix:eadb is set, then this gets setup */
 	struct tdb_wrap *ea_db;
+
+	/* used to accelerate acl mapping */
+	struct {
+		const struct dom_sid *creator_owner;
+		const struct dom_sid *creator_group;		
+	} sid_cache;
 };
 
 /* this is the basic information needed about a file from the filesystem */

