svn commit: samba r7985 - in branches/SAMBA_3_0/source: param smbd

jra at samba.org jra at samba.org
Tue Jun 28 21:48:13 GMT 2005


Author: jra
Date: 2005-06-28 21:48:09 +0000 (Tue, 28 Jun 2005)
New Revision: 7985

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=7985

Log:
Add "acl map full control", true by default, to allow people to change
mapping of rwx to full control or not. Requested feature at SambaXP.
Jeremy.

Modified:
   branches/SAMBA_3_0/source/param/loadparm.c
   branches/SAMBA_3_0/source/smbd/posix_acls.c


Changeset:
Modified: branches/SAMBA_3_0/source/param/loadparm.c
===================================================================
--- branches/SAMBA_3_0/source/param/loadparm.c	2005-06-28 21:48:06 UTC (rev 7984)
+++ branches/SAMBA_3_0/source/param/loadparm.c	2005-06-28 21:48:09 UTC (rev 7985)
@@ -437,6 +437,7 @@
 	BOOL bAfs_Share;
 	BOOL bEASupport;
 	BOOL bAclCheckPermissions;
+	BOOL bAclMapFullControl;
 	int iallocation_roundup_size;
 	int iAioReadSize;
 	int iAioWriteSize;
@@ -568,6 +569,7 @@
 	False,			/* bAfs_Share */
 	False,			/* bEASupport */
 	True,			/* bAclCheckPermissions */
+	True,			/* bAclMapFullControl */
 	SMB_ROUNDUP_ALLOCATION_SIZE,		/* iallocation_roundup_size */
 	0,			/* iAioReadSize */
 	0,			/* iAioWriteSize */
@@ -874,6 +876,7 @@
 	{"writable", P_BOOLREV, P_LOCAL, &sDefault.bRead_only, NULL, NULL, FLAG_HIDE}, 
 
 	{"acl check permissions", P_BOOL, P_LOCAL, &sDefault.bAclCheckPermissions, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
+	{"acl map full control", P_BOOL, P_LOCAL, &sDefault.bAclMapFullControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
 	{"create mask", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, 
 	{"create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_HIDE}, 
 	{"force create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_force_mode, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, 
@@ -1979,6 +1982,7 @@
 FN_LOCAL_BOOL(lp_map_acl_inherit, bMap_acl_inherit)
 FN_LOCAL_BOOL(lp_afs_share, bAfs_Share)
 FN_LOCAL_BOOL(lp_acl_check_permissions, bAclCheckPermissions)
+FN_LOCAL_BOOL(lp_acl_map_full_control, bAclMapFullControl)
 FN_LOCAL_INTEGER(lp_create_mask, iCreate_mask)
 FN_LOCAL_INTEGER(lp_force_create_mode, iCreate_force_mode)
 FN_LOCAL_INTEGER(lp_security_mask, iSecurity_mask)

Modified: branches/SAMBA_3_0/source/smbd/posix_acls.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/posix_acls.c	2005-06-28 21:48:06 UTC (rev 7984)
+++ branches/SAMBA_3_0/source/smbd/posix_acls.c	2005-06-28 21:48:09 UTC (rev 7985)
@@ -801,14 +801,14 @@
  not get. Deny entries are implicit on get with ace->perms = 0.
 ****************************************************************************/
 
-static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace *ace, BOOL directory_ace)
+static SEC_ACCESS map_canon_ace_perms(int snum, int *pacl_type, DOM_SID *powner_sid, canon_ace *ace, BOOL directory_ace)
 {
 	SEC_ACCESS sa;
 	uint32 nt_mask = 0;
 
 	*pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
 
-	if ((ace->perms & ALL_ACE_PERMS) == ALL_ACE_PERMS) {
+	if (lp_acl_map_full_control(snum) && ((ace->perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
 		if (directory_ace) {
 			nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
 		} else {
@@ -2711,7 +2711,7 @@
 	 * Get the owner, group and world SIDs.
 	 */
 
-	if (lp_profile_acls(SNUM(fsp->conn))) {
+	if (lp_profile_acls(SNUM(conn))) {
 		/* For WXP SP1 the owner must be administrators. */
 		sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
 		sid_copy(&group_sid, &global_sid_Builtin_Users);
@@ -2825,12 +2825,12 @@
 			for (i = 0; i < num_acls; i++, ace = ace->next) {
 				SEC_ACCESS acc;
 
-				acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace, fsp->is_directory);
+				acc = map_canon_ace_perms(SNUM(conn), &nt_acl_type, &owner_sid, ace, fsp->is_directory);
 				init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc, ace->inherited ? SEC_ACE_FLAG_INHERITED_ACE : 0);
 			}
 
 			/* The User must have access to a profile share - even if we can't map the SID. */
-			if (lp_profile_acls(SNUM(fsp->conn))) {
+			if (lp_profile_acls(SNUM(conn))) {
 				SEC_ACCESS acc;
 
 				init_sec_access(&acc,FILE_GENERIC_ALL);
@@ -2843,7 +2843,7 @@
 			for (i = 0; i < num_def_acls; i++, ace = ace->next) {
 				SEC_ACCESS acc;
 	
-				acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace, fsp->is_directory);
+				acc = map_canon_ace_perms(SNUM(conn), &nt_acl_type, &owner_sid, ace, fsp->is_directory);
 				init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc,
 						SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
 						SEC_ACE_FLAG_INHERIT_ONLY|
@@ -2851,7 +2851,7 @@
 			}
 
 			/* The User must have access to a profile share - even if we can't map the SID. */
-			if (lp_profile_acls(SNUM(fsp->conn))) {
+			if (lp_profile_acls(SNUM(conn))) {
 				SEC_ACCESS acc;
 			
 				init_sec_access(&acc,FILE_GENERIC_ALL);



More information about the samba-cvs mailing list