svn commit: samba r6055 - in branches/SAMBA_3_0/source/smbd: .

jra at samba.org jra at samba.org
Fri Mar 25 01:30:25 GMT 2005 

Author: jra
Date: 2005-03-25 01:30:21 +0000 (Fri, 25 Mar 2005)
New Revision: 6055

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=6055

Log:
Fix algorithm. If any of the primary or supplementary group ids match
a "allow" entry of GROUP or GROUP_OBJ, then access is allowed. It doesn't
terminate on the first match. Added debug to show where the match occured
(or didn't).
Jeremy.

Modified:
   branches/SAMBA_3_0/source/smbd/posix_acls.c


Changeset:
Modified: branches/SAMBA_3_0/source/smbd/posix_acls.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/posix_acls.c	2005-03-25 00:58:34 UTC (rev 6054)
+++ branches/SAMBA_3_0/source/smbd/posix_acls.c	2005-03-25 01:30:21 UTC (rev 6055)
@@ -3860,6 +3860,11 @@
 			goto check_stat;
 		}
 
+		/* If we don't have write permission this entry never matches. */
+		if (have_write == 0) {
+			continue;
+		}
+
 		switch(tagtype) {
 			case SMB_ACL_GROUP:
 			{
@@ -3870,9 +3875,9 @@
 				for (i = 0; i < current_user.ngroups; i++) {
 					if (current_user.groups[i] == *pgid) {
 						/* We're done now we have a gid match. */
-						ret = have_write;
+						ret = 1;
 						DEBUG(10,("check_posix_acl_group_write: file %s \
-match on group %u -> %s.\n", fname, (unsigned int)*pgid, ret ? "can write" : "cannot write"));
+match on group %u -> can write.\n", fname, (unsigned int)*pgid ));
 						goto done;
 					}
 				}
@@ -3886,13 +3891,24 @@
 
   check_stat:
 
+	/* If we get here we know ret == 0. */
+	SMB_ASSERT(ret == 0);
+
 	for (i = 0; i < current_user.ngroups; i++) {
 		if (current_user.groups[i] == psbuf->st_gid) {
 			ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0;
+			DEBUG(10,("check_posix_acl_group_write: file %s \
+match on owning group %u -> %s.\n", fname, (unsigned int)psbuf->st_gid, ret ? "can write" : "cannot write"));
 			break;
 		}
 	}
 
+	if (i == current_user.ngroups) {
+		SMB_ASSERT(ret == 0);
+		DEBUG(10,("check_posix_acl_group_write: file %s \
+failed to match on user or group in token.\n", fname ));
+	}
+
   done:
 
 	SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);

More information about the samba-cvs mailing list