[SCM] Samba Shared Repository - branch v3-3-test updated -
release-3-2-0pre2-3081-ge98e080
Jeremy Allison
jra at samba.org
Thu Jul 3 17:25:57 GMT 2008
The branch, v3-3-test has been updated
via e98e080bad2c8b9f038a8f2dffcfeba1d5f392ce (commit)
from 454cb852e06fa3d8bdd0eebb3ebdb24b3d74ecd0 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test
- Log -----------------------------------------------------------------
commit e98e080bad2c8b9f038a8f2dffcfeba1d5f392ce
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jul 3 10:24:12 2008 -0700
Patch from SATOH Fumiyasu <fumiyas at osstech.co.jp> for bug #5202. Re-activate "acl group control"
parameter and make it only apply to owning group. Also added man page fix.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/misc/dosfilemode.xml | 17 +++++----
docs-xml/smbdotconf/security/aclgroupcontrol.xml | 6 ++-
source/param/loadparm.c | 2 +-
source/smbd/posix_acls.c | 40 ++++++++++++++--------
4 files changed, 40 insertions(+), 25 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/misc/dosfilemode.xml b/docs-xml/smbdotconf/misc/dosfilemode.xml
index ae3b475..e67ccd9 100644
--- a/docs-xml/smbdotconf/misc/dosfilemode.xml
+++ b/docs-xml/smbdotconf/misc/dosfilemode.xml
@@ -3,15 +3,16 @@
type="boolean"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para> The default behavior in Samba is to provide
- UNIX-like behavior where only the owner of a file/directory is
+ <para> The default behavior in Samba is to provide
+ UNIX-like behavior where only the owner of a file/directory is
able to change the permissions on it. However, this behavior
- is often confusing to DOS/Windows users. Enabling this parameter
- allows a user who has write access to the file (by whatever
- means) to modify the permissions (including ACL) on it. Note that a user
- belonging to the group owning the file will not be allowed to
- change permissions if the group is only granted read access.
- Ownership of the file/directory may also be changed.</para>
+ is often confusing to DOS/Windows users. Enabling this parameter
+ allows a user who has write access to the file (by whatever
+ means, including an ACL permission) to modify the permissions
+ (including ACL) on it. Note that a user belonging to the group
+ owning the file will not be allowed to change permissions if
+ the group is only granted read access. Ownership of the
+ file/directory may also be changed.</para>
</description>
<value type="default">no</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/aclgroupcontrol.xml b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
index e2600ca..6efd46d 100644
--- a/docs-xml/smbdotconf/security/aclgroupcontrol.xml
+++ b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
@@ -30,8 +30,10 @@
</para>
<para>
- This is parameter has been marked deprecated in Samba 3.0.23. The same behavior is now
- implemented by the <parameter moreinfo="none">dos filemode</parameter> option.
+ This is parameter has been was deprecated in Samba 3.0.23, but re-activated in
+ Samba 3.0.31 and above, as it now only controls permission changes if the user
+ is in the owning primary group. It is now no longer equivalent to the
+ <parameter moreinfo="none">dos filemode</parameter> option.
</para>
</description>
diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index b679b79..b2cbbf1 100644
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -1507,7 +1507,7 @@ static struct parm_struct parm_table[] = {
.ptr = &sDefault.bAclGroupControl,
.special = NULL,
.enum_list = NULL,
- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE | FLAG_DEPRECATED,
+ .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
},
{
.label = "acl map full control",
diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c
index e92a263..427cfc9 100644
--- a/source/smbd/posix_acls.c
+++ b/source/smbd/posix_acls.c
@@ -2362,20 +2362,32 @@ static bool current_user_in_group(gid_t gid)
}
/****************************************************************************
- Should we override a deny ? Check deprecated 'acl group control'
- and 'dos filemode'
+ Should we override a deny ? Check 'acl group control' and 'dos filemode'.
****************************************************************************/
-static bool acl_group_override(connection_struct *conn, gid_t prim_gid)
+static bool acl_group_override(connection_struct *conn,
+ gid_t prim_gid,
+ const char *fname)
{
- if ( (errno == EACCES || errno == EPERM)
- && (lp_acl_group_control(SNUM(conn)) || lp_dos_filemode(SNUM(conn)))
- && current_user_in_group(prim_gid))
- {
- return True;
- }
+ SMB_STRUCT_STAT sbuf;
- return False;
+ if ((errno != EPERM) && (errno != EACCES)) {
+ return false;
+ }
+
+ /* file primary group == user primary or supplementary group */
+ if (lp_acl_group_control(SNUM(conn)) &&
+ current_user_in_group(prim_gid)) {
+ return true;
+ }
+
+ /* user has writeable permission */
+ if (lp_dos_filemode(SNUM(conn)) &&
+ can_write_to_file(conn, fname, &sbuf)) {
+ return true;
+ }
+
+ return false;
}
/****************************************************************************
@@ -2561,7 +2573,7 @@ static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool defau
*pacl_set_support = False;
}
- if (acl_group_override(conn, prim_gid)) {
+ if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
int sret;
DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
@@ -2592,7 +2604,7 @@ static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool defau
*pacl_set_support = False;
}
- if (acl_group_override(conn, prim_gid)) {
+ if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
int sret;
DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
@@ -3570,7 +3582,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name) == -1) {
int sret = -1;
- if (acl_group_override(conn, sbuf.st_gid)) {
+ if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {
DEBUG(5,("set_nt_acl: acl group control on and "
"current user in file %s primary group. Override delete_def_acl\n",
fsp->fsp_name ));
@@ -3617,7 +3629,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
if(SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms) == -1) {
int sret = -1;
- if (acl_group_override(conn, sbuf.st_gid)) {
+ if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {
DEBUG(5,("set_nt_acl: acl group control on and "
"current user in file %s primary group. Override chmod\n",
fsp->fsp_name ));
--
Samba Shared Repository
More information about the samba-cvs
mailing list