[SCM] Samba Shared Repository - branch v3-5-test updated

Fri Oct 23 12:51:39 MDT 2009

The branch, v3-5-test has been updated
       via  e692241... Fix bug 6802 - A created folder does not properly inherit permissions from parent.
      from  d8d28f7... s4-torture: fixed double free in libnet_group test

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test


- Log -----------------------------------------------------------------
commit e6922418846b7ffc42d8d6db4c5a08385dd365fe
Author: Barry Sabsevitz <barry_sabsevitz at hp.com>
Date:   Fri Oct 23 11:50:29 2009 -0700

    Fix bug 6802 - A created folder does not properly inherit permissions from parent.

-----------------------------------------------------------------------

Summary of changes:
 source3/modules/vfs_acl_common.c |   42 ++++++++++++++++++++++++++++++++++---
 1 files changed, 38 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 39fd2ad..a12f105 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -279,7 +279,8 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
 *********************************************************************/
 
 static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx,
-						SMB_STRUCT_STAT *psbuf)
+						SMB_STRUCT_STAT *psbuf,
+						bool force_inherit)
 {
 	struct dom_sid owner_sid, group_sid;
 	size_t sd_size;
@@ -294,10 +295,22 @@ static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx,
 		return NULL;
 	}
 
+	/* If force_inherit is set, this means we are initializing the ACEs for
+	 * a container and we want the ACEs for owner_sid and "SYSTEM" to be
+	 * inheritable by their children (See Bug #6802).
+	 */
+
 	init_sec_ace(&pace[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
-			SEC_RIGHTS_FILE_ALL, 0);
+			SEC_RIGHTS_FILE_ALL, (force_inherit ?
+					(SEC_ACE_FLAG_OBJECT_INHERIT|
+					SEC_ACE_FLAG_CONTAINER_INHERIT) :
+					0));
+
 	init_sec_ace(&pace[1], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED,
-			SEC_RIGHTS_FILE_ALL, 0);
+			SEC_RIGHTS_FILE_ALL, (force_inherit ?
+					(SEC_ACE_FLAG_OBJECT_INHERIT|
+					SEC_ACE_FLAG_CONTAINER_INHERIT) :
+					0));
 
 	pacl = make_sec_acl(mem_ctx,
 				NT4_ACL_REVISION,
@@ -332,6 +345,7 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
 	DATA_BLOB blob;
 	size_t size;
 	char *parent_name;
+	bool force_inherit = false;
 	uint8_t hash[XATTR_SD_HASH_SIZE];
 
 	if (!parent_dirname(ctx, smb_fname->base_name, &parent_name, NULL)) {
@@ -400,7 +414,27 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
 			return status;
 		}
 
-		psd = default_file_sd(ctx, &smb_fname->st);
+		/* If we get here, we could have the following possibilities:
+		 *	1. No ACLs exist on the parent container.
+		 *	2. ACLs exist on the parent container but they were
+		 *	not inheritable.
+		 *
+		 *	Check to see if case #1 occurred.
+		 *
+		 */
+		if (container &&
+			(parent_desc == NULL || parent_desc->dacl == NULL)) {
+
+			/* If no parent descriptor exists, then there were
+			 * no ACLs on the parent and then we must create
+			 * the ACLs on this newly created folder so that they
+			 * will be inherited by their children (See Bug #6802).
+			 */
+
+			force_inherit = true;
+		}
+
+		psd = default_file_sd(ctx, &smb_fname->st, force_inherit);
 		if (!psd) {
 			return NT_STATUS_NO_MEMORY;
 		}


-- 
Samba Shared Repository
