svn commit: samba r24545 - in branches/SAMBA_3_0_25/source/libsmb: .
derrell at samba.org
derrell at samba.org
Sat Aug 18 18:09:26 GMT 2007
Author: derrell
Date: 2007-08-18 18:09:25 +0000 (Sat, 18 Aug 2007)
New Revision: 24545
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24545
Log:
Apply patches made recently made to the 3.2 and 3.2.0 branches but not to the
3.0.25 branch:
- Sort ACEs according to http://support.microsoft.com/kb/269175 so that
Windows Explorer doesn't complain about the order (and so that they get
interpreted properly).
- Removing all ACEs was causing removal of the DACL entirely. Win2000 ignored
the request, presumably due to the PROTECTED flag not being set. Setting
that flag (in make_sec_desc()) has much wider implications than just to
libsmbclient, so instead of modifying that, we'll remove security
descriptors by setting the number of ACEs to zero. At some point, we might
want to look into whether we should actually be setting the PROTECTED flag
in the DACL.
Reference http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsce_ctl_qxju.mspx?mfr=true
Modified:
branches/SAMBA_3_0_25/source/libsmb/libsmbclient.c
Changeset:
Modified: branches/SAMBA_3_0_25/source/libsmb/libsmbclient.c
===================================================================
--- branches/SAMBA_3_0_25/source/libsmb/libsmbclient.c 2007-08-18 17:29:49 UTC (rev 24544)
+++ branches/SAMBA_3_0_25/source/libsmb/libsmbclient.c 2007-08-18 18:09:25 UTC (rev 24545)
@@ -3748,32 +3748,94 @@
}
-/* The MSDN is contradictory over the ordering of ACE entries in an ACL.
- However NT4 gives a "The information may have been modified by a
- computer running Windows NT 5.0" if denied ACEs do not appear before
- allowed ACEs. */
+/*
+ * Sort ACEs according to the documentation at
+ * http://support.microsoft.com/kb/269175, at least as far as it defines the
+ * order.
+ */
static int
ace_compare(SEC_ACE *ace1,
SEC_ACE *ace2)
{
- if (sec_ace_equal(ace1, ace2))
+ BOOL b1;
+ BOOL b2;
+
+ /* If the ACEs are equal, we have nothing more to do. */
+ if (sec_ace_equal(ace1, ace2)) {
return 0;
+ }
- if (ace1->type != ace2->type)
+ /* Inherited follow non-inherited */
+ b1 = ((ace1->flags & SEC_ACE_FLAG_INHERITED_ACE) != 0);
+ b2 = ((ace2->flags & SEC_ACE_FLAG_INHERITED_ACE) != 0);
+ if (b1 != b2) {
+ return (b1 ? 1 : -1);
+ }
+
+ /*
+ * What shall we do with AUDITs and ALARMs? It's undefined. We'll
+ * sort them after DENY and ALLOW.
+ */
+ b1 = (ace1->type != SEC_ACE_TYPE_ACCESS_ALLOWED &&
+ ace1->type != SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT &&
+ ace1->type != SEC_ACE_TYPE_ACCESS_DENIED &&
+ ace1->type != SEC_ACE_TYPE_ACCESS_DENIED_OBJECT);
+ b2 = (ace2->type != SEC_ACE_TYPE_ACCESS_ALLOWED &&
+ ace2->type != SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT &&
+ ace2->type != SEC_ACE_TYPE_ACCESS_DENIED &&
+ ace2->type != SEC_ACE_TYPE_ACCESS_DENIED_OBJECT);
+ if (b1 != b2) {
+ return (b1 ? 1 : -1);
+ }
+
+ /* Allowed ACEs follow denied ACEs */
+ b1 = (ace1->type == SEC_ACE_TYPE_ACCESS_ALLOWED ||
+ ace1->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT);
+ b2 = (ace2->type == SEC_ACE_TYPE_ACCESS_ALLOWED ||
+ ace2->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT);
+ if (b1 != b2) {
+ return (b1 ? 1 : -1);
+ }
+
+ /*
+ * ACEs applying to an entity's object follow those applying to the
+ * entity itself
+ */
+ b1 = (ace1->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
+ ace1->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT);
+ b2 = (ace2->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
+ ace2->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT);
+ if (b1 != b2) {
+ return (b1 ? 1 : -1);
+ }
+
+ /*
+ * If we get this far, the ACEs are similar as far as the
+ * characteristics we typically care about (those defined by the
+ * referenced MS document). We'll now sort by characteristics that
+ * just seems reasonable.
+ */
+
+ if (ace1->type != ace2->type) {
return ace2->type - ace1->type;
+ }
- if (sid_compare(&ace1->trustee, &ace2->trustee))
+ if (sid_compare(&ace1->trustee, &ace2->trustee)) {
return sid_compare(&ace1->trustee, &ace2->trustee);
+ }
- if (ace1->flags != ace2->flags)
+ if (ace1->flags != ace2->flags) {
return ace1->flags - ace2->flags;
+ }
- if (ace1->access_mask != ace2->access_mask)
+ if (ace1->access_mask != ace2->access_mask) {
return ace1->access_mask - ace2->access_mask;
+ }
- if (ace1->size != ace2->size)
+ if (ace1->size != ace2->size) {
return ace1->size - ace2->size;
+ }
return memcmp(ace1, ace2, sizeof(SEC_ACE));
}
@@ -5158,9 +5220,6 @@
switch (mode) {
case SMBC_XATTR_MODE_REMOVE_ALL:
old->dacl->num_aces = 0;
- prs_mem_free(old->dacl->aces);
- prs_mem_free(&old->dacl);
- old->dacl = NULL;
dacl = old->dacl;
break;
@@ -5177,11 +5236,6 @@
old->dacl->aces[k+1];
}
old->dacl->num_aces--;
- if (old->dacl->num_aces == 0) {
- prs_mem_free(&old->dacl->aces);
- prs_mem_free(&old->dacl);
- old->dacl = NULL;
- }
found = True;
dacl = old->dacl;
break;
More information about the samba-cvs
mailing list