[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Thu Oct 7 18:38:01 MDT 2010 

The branch, master has been updated
       via  cd04af7 Fix bug 7716 - acl_xattr and acl_tdb modules don't store unmodified copies of security descriptors.
      from  fd9effc s3: Fix the async echo responder for netbios keepalives

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit cd04af78d51121cc16453fcd52e0d4c3516bc3c5
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Oct 7 16:56:36 2010 -0700

    Fix bug 7716 - acl_xattr and acl_tdb modules don't store unmodified copies of security descriptors.
    
    As pointed out by an OEM, the code within smbd/posix_acl.c, even though passed
    a const pointer to a security descriptor, still modifies the ACE entries within
    it (which are not const pointers).
    
    This means ACLs stored in the extended attribute by the acl_xattr module have
    already been modified by the POSIX acl layer, and are not the original intent
    of storing the "unmodified" ACL from the client.
    
    Use dup_sec_desc to make a copy of the incoming ACL on talloc_tos() - that
    is what is then modified inside smbd/posix_acl.c, leaving the original ACL
    to be correctly stored in the xattr.
    
    Jeremy.
    
    Autobuild-User: Jeremy Allison <jra at samba.org>
    Autobuild-Date: Fri Oct  8 00:37:53 UTC 2010 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/posix_acls.c |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index dc3585d..4ceb0f0 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3824,9 +3824,11 @@ NTSTATUS append_parent_acl(files_struct *fsp,
  Reply to set a security descriptor on an fsp. security_info_sent is the
  description of the following NT ACL.
  This should be the only external function needed for the UNIX style set ACL.
+ We make a copy of psd_orig as internal functions modify the elements inside
+ it, even though it's a const pointer.
 ****************************************************************************/
 
-NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct security_descriptor *psd)
+NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct security_descriptor *psd_orig)
 {
 	connection_struct *conn = fsp->conn;
 	uid_t user = (uid_t)-1;
@@ -3841,6 +3843,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct s
 	bool set_acl_as_root = false;
 	bool acl_set_support = false;
 	bool ret = false;
+	struct security_descriptor *psd = NULL;
 
 	DEBUG(10,("set_nt_acl: called for file %s\n",
 		  fsp_str_dbg(fsp)));
@@ -3850,6 +3853,15 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct s
 		return NT_STATUS_MEDIA_WRITE_PROTECTED;
 	}
 
+	if (!psd_orig) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	psd = dup_sec_desc(talloc_tos(), psd_orig);
+	if (!psd) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
 	/*
 	 * Get the current state of the file.
 	 */


-- 
Samba Shared Repository

More information about the samba-cvs mailing list