[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-2680-g93e91e5

Jeremy Allison jra at samba.org
Thu Jul 3 17:25:54 GMT 2008


The branch, v3-2-test has been updated
       via  93e91e5364a7f131d988648cf5fe822a9bd68734 (commit)
      from  3e5bff08dac4faf575a11fe3edb17af08170ed74 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test


- Log -----------------------------------------------------------------
commit 93e91e5364a7f131d988648cf5fe822a9bd68734
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jul 3 10:25:26 2008 -0700

    Patch from SATOH Fumiyasu <fumiyas at osstech.co.jp> for bug #5202. Re-activate "acl group control"
    parameter and make it only apply to owning group. Also added man page fix.
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/smbdotconf/misc/dosfilemode.xml         |   17 +++++----
 docs-xml/smbdotconf/security/aclgroupcontrol.xml |    6 ++-
 source/param/loadparm.c                          |    2 +-
 source/smbd/posix_acls.c                         |   40 ++++++++++++++--------
 4 files changed, 40 insertions(+), 25 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/misc/dosfilemode.xml b/docs-xml/smbdotconf/misc/dosfilemode.xml
index ae3b475..e67ccd9 100644
--- a/docs-xml/smbdotconf/misc/dosfilemode.xml
+++ b/docs-xml/smbdotconf/misc/dosfilemode.xml
@@ -3,15 +3,16 @@
 		 type="boolean"
 		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-	<para> The default behavior in Samba is to provide 
-	UNIX-like behavior where only the owner of a file/directory is 
+	<para> The default behavior in Samba is to provide
+	UNIX-like behavior where only the owner of a file/directory is
 	able to change the permissions on it.  However, this behavior
-	is often confusing to  DOS/Windows users.  Enabling this parameter 
-	allows a user who has write access to the file (by whatever 
-	means) to modify the permissions (including ACL) on it.  Note that a user
-	belonging to the group owning the file will not be allowed to
-	change permissions if the group is only granted read access.
-	Ownership of the file/directory may also be changed.</para>
+	is often confusing to  DOS/Windows users.  Enabling this parameter
+	allows a user who has write access to the file (by whatever
+	means, including an ACL permission) to modify the permissions
+	(including ACL) on it. Note that a user belonging to the group
+	owning the file will not be allowed to change permissions if
+	the group is only granted read access. Ownership of the
+	file/directory may also be changed.</para>
 </description>
 <value type="default">no</value>
 </samba:parameter>
diff --git a/docs-xml/smbdotconf/security/aclgroupcontrol.xml b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
index e2600ca..6efd46d 100644
--- a/docs-xml/smbdotconf/security/aclgroupcontrol.xml
+++ b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
@@ -30,8 +30,10 @@
 	</para>
 
 	<para>
-	This is parameter has been marked deprecated in Samba 3.0.23.  The same behavior is now
-	implemented by the <parameter moreinfo="none">dos filemode</parameter> option.
+	This is parameter has been was deprecated in Samba 3.0.23, but re-activated in
+	Samba 3.0.31 and above, as it now only controls permission changes if the user
+	is in the owning primary group. It is now no longer equivalent to the
+	<parameter moreinfo="none">dos filemode</parameter> option.
 	</para>
 
 </description>
diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index c6a7489..d0b8e83 100644
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -1508,7 +1508,7 @@ static struct parm_struct parm_table[] = {
 		.ptr		= &sDefault.bAclGroupControl,
 		.special	= NULL,
 		.enum_list	= NULL,
-		.flags		= FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE | FLAG_DEPRECATED,
+		.flags		= FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
 	},
 	{
 		.label		= "acl map full control",
diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c
index c3c9d2e..86934f9 100644
--- a/source/smbd/posix_acls.c
+++ b/source/smbd/posix_acls.c
@@ -2364,20 +2364,32 @@ static bool current_user_in_group(gid_t gid)
 }
 
 /****************************************************************************
- Should we override a deny ?  Check deprecated 'acl group control'
- and 'dos filemode'
+ Should we override a deny ? Check 'acl group control' and 'dos filemode'.
 ****************************************************************************/
 
-static bool acl_group_override(connection_struct *conn, gid_t prim_gid)
+static bool acl_group_override(connection_struct *conn,
+				gid_t prim_gid,
+				const char *fname)
 {
-	if ( (errno == EACCES || errno == EPERM) 
-		&& (lp_acl_group_control(SNUM(conn)) || lp_dos_filemode(SNUM(conn)))
-		&& current_user_in_group(prim_gid)) 
-	{
-		return True;
-	} 
+	SMB_STRUCT_STAT sbuf;
 
-	return False;
+	if ((errno != EPERM) && (errno != EACCES)) {
+		return false;
+	}
+
+	/* file primary group == user primary or supplementary group */
+	if (lp_acl_group_control(SNUM(conn)) &&
+			current_user_in_group(prim_gid)) {
+		return true;
+	}
+
+	/* user has writeable permission */
+	if (lp_dos_filemode(SNUM(conn)) &&
+			can_write_to_file(conn, fname, &sbuf)) {
+		return true;
+	}
+
+	return false;
 }
 
 /****************************************************************************
@@ -2563,7 +2575,7 @@ static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool defau
 				*pacl_set_support = False;
 			}
 
-			if (acl_group_override(conn, prim_gid)) {
+			if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
 				int sret;
 
 				DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
@@ -2594,7 +2606,7 @@ static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool defau
 				*pacl_set_support = False;
 			}
 
-			if (acl_group_override(conn, prim_gid)) {
+			if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
 				int sret;
 
 				DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
@@ -3572,7 +3584,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
 					if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name) == -1) {
 						int sret = -1;
 
-						if (acl_group_override(conn, sbuf.st_gid)) {
+						if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {
 							DEBUG(5,("set_nt_acl: acl group control on and "
 								"current user in file %s primary group. Override delete_def_acl\n",
 								fsp->fsp_name ));
@@ -3619,7 +3631,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
 
 					if(SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms) == -1) {
 						int sret = -1;
-						if (acl_group_override(conn, sbuf.st_gid)) {
+						if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {
 							DEBUG(5,("set_nt_acl: acl group control on and "
 								"current user in file %s primary group. Override chmod\n",
 								fsp->fsp_name ));


-- 
Samba Shared Repository


More information about the samba-cvs mailing list