[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-5260-gcb5c72c

Karolin Seeger kseeger at samba.org
Wed May 13 16:48:30 GMT 2009


The branch, v3-3-test has been updated
       via  cb5c72c0a05a78ff1b86eb02cf5ecd3d7d69623d (commit)
      from  c66b3807a356655d1d4e351502cad939f4d1d101 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test


- Log -----------------------------------------------------------------
commit cb5c72c0a05a78ff1b86eb02cf5ecd3d7d69623d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri May 8 14:33:49 2009 +0200

    s3:smbd: fix posix acls when setting an ACL without explicit ACE for the owner (bug#2346)
    
    The problem of bug #2346 remains for users exported by
    winbindd, because create_token_from_username() just fakes
    the token when the user is not in the local sam domain. This causes
    user_in_group_sid() to give totally wrong results.
    In uid_entry_in_group() we need to check if we already
    have the full unix token in the current_user struct.
    If so we should use the current_user unix token,
    instead of doing a very complex user_in_group_sid()
    which doesn't give reliable results anyway.
    
    metze
    (cherry picked from commit b79eff843be392f3065e912edca1434081d93c44)

-----------------------------------------------------------------------

Summary of changes:
 source/smbd/posix_acls.c |   21 ++++++++++++++++++---
 1 files changed, 18 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c
index a319c58..93bc44b 100644
--- a/source/smbd/posix_acls.c
+++ b/source/smbd/posix_acls.c
@@ -1117,16 +1117,31 @@ static bool uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace )
 	if (sid_equal(&group_ace->trustee, &global_sid_World))
 		return True;
 
-	/* Assume that the current user is in the current group (force group) */
+	/*
+	 * if it's the current user, we already have the unix token
+	 * and don't need to do the complex user_in_group_sid() call
+	 */
+	if (uid_ace->unix_ug.uid == current_user.ut.uid) {
+		size_t i;
 
-	if (uid_ace->unix_ug.uid == current_user.ut.uid && group_ace->unix_ug.gid == current_user.ut.gid)
-		return True;
+		if (group_ace->unix_ug.gid == current_user.ut.gid) {
+			return True;
+		}
+
+		for (i=0; i < current_user.ut.ngroups; i++) {
+			if (group_ace->unix_ug.gid == current_user.ut.groups[i]) {
+				return True;
+			}
+		}
+	}
 
 	/* u_name talloc'ed off tos. */
 	u_name = uidtoname(uid_ace->unix_ug.uid);
 	if (!u_name) {
 		return False;
 	}
+
+	/* notice that this is not reliable for users exported by winbindd! */
 	return user_in_group_sid(u_name, &group_ace->trustee);
 }
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list