[SCM] Samba Shared Repository - branch v3-6-test updated
Jeremy Allison
jra at samba.org
Sat Oct 16 00:05:25 MDT 2010
The branch, v3-6-test has been updated
via a733f2e7 Fix double ;; end-of-lines added in error.
via 22092a0 Don't arbitrarily clean all parametric options in add_a_service(), that is called from many places, not just smb.conf processing. Only clean parametric options when doing actual smb.conf reading (or registry equivalent).
via ab8f761 Ensure we have correct parameters to use Windows ACL modules. (cherry picked from commit 1ce5ff593d649bac6d59baa249f53af79f8cb465)
via cf41e46 Add acl_xattr:ignore system acls boolean (normally false) to allow Samba ACL module to ignore mapping to lower POSIX layer. With this fix Samba 3.6.x now passes RAW-ACLs (with certain smb.conf parameters set).
via b7ae065 Add make_default_filesystem_acl() function to be used in following change to acl_xattr and acl_tdb module. (cherry picked from commit cf45581cdfbe60815c5b278f2c4cbceeb7ca1407)
via 8245c39 Fix handling of "NULL" DACL. Map to u/g/w - rwx.
via 13fd403 Fix "force unknown ACL user" to strip out foreign SIDs from POSIX ACLs if they can't be mapped. (cherry picked from commit e031f8ae6aee266c0ebf0b53465906e215ac9561)
via 2b05993 Add debug message to get_nt_acl_internal() to see what we got. (cherry picked from commit f4a9d25cfc70e79f476d01ae3234f2155bbcf39e)
via 15e25e9 Fix valgrind "uninitialized read" error on "info" when returning !NT_STATUS_OK.
via a376d6a Fix bug #7734 - When creating files with "inherit ACLs" set to true, we neglect to apply appropriate create masks.
via 19343b7 Fix bug #7733 - Invalid client DOS attributes on create can cause incorrect unix mode_t to be generated.
from 50e84a8 s3:gpfs: Add support for the gpfs_ftruncate call
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit a733f2e7fc4dc3b12108e771f42cda8c609035f4
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 22:26:29 2010 -0700
Fix double ;; end-of-lines added in error.
commit 22092a09eebaf45d404480f5c737072a57f4986b
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 22:24:57 2010 -0700
Don't arbitrarily clean all parametric options in add_a_service(),
that is called from many places, not just smb.conf processing. Only
clean parametric options when doing actual smb.conf reading (or
registry equivalent).
Michael Adams, Volker, Metze, please check.
Jeremy.
commit ab8f7618200e4622870edd403d1322ae291dd7d9
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 19:54:51 2010 -0700
Ensure we have correct parameters to use Windows ACL modules.
(cherry picked from commit 1ce5ff593d649bac6d59baa249f53af79f8cb465)
commit cf41e4682ae92211f55658d6b0ef43937fe1d924
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 15:56:09 2010 -0700
Add acl_xattr:ignore system acls boolean (normally false) to allow
Samba ACL module to ignore mapping to lower POSIX layer. With this
fix Samba 3.6.x now passes RAW-ACLs (with certain smb.conf parameters
set).
Jeremy.
Autobuild-User: Jeremy Allison <jra at samba.org>
Autobuild-Date: Sat Oct 16 01:26:31 UTC 2010 on sn-devel-104
(cherry picked from commit 06fc79f1fde5963ef89027e2cd297e866aa8c204)
commit b7ae065fa34d3637f6344da1b8f1fffab1c6c5b1
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 15:53:51 2010 -0700
Add make_default_filesystem_acl() function to be used in following change to acl_xattr and acl_tdb module.
(cherry picked from commit cf45581cdfbe60815c5b278f2c4cbceeb7ca1407)
commit 8245c39d2268700cb4f7917afe4fffc58960db02
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 15:42:44 2010 -0700
Fix handling of "NULL" DACL. Map to u/g/w - rwx.
Jeremy.
(cherry picked from commit 1904c44ec84fe5d706a4e07f73bad17d0948535a)
commit 13fd403b45e096ee847d000fd2ca9735054c72c7
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 15:28:23 2010 -0700
Fix "force unknown ACL user" to strip out foreign SIDs from POSIX ACLs if they can't be mapped.
(cherry picked from commit e031f8ae6aee266c0ebf0b53465906e215ac9561)
commit 2b0599383cc2ff2f2714eb1e0185d6c21760d1c9
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 14:18:22 2010 -0700
Add debug message to get_nt_acl_internal() to see what we got.
(cherry picked from commit f4a9d25cfc70e79f476d01ae3234f2155bbcf39e)
commit 15e25e99dcdb6d7dcb0f54c3c671170abeb0a5a1
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 14:16:30 2010 -0700
Fix valgrind "uninitialized read" error on "info" when returning !NT_STATUS_OK.
Jeremy.
(cherry picked from commit 625126dc8dec1198b94bda0643222f0b046587d8)
commit a376d6acdf878dc13e1d3cf29ae0e1d7fe7350a7
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 14:12:04 2010 -0700
Fix bug #7734 - When creating files with "inherit ACLs" set to true, we neglect to apply appropriate create masks.
Jeremy.
(cherry picked from commit 8cad5e23b6e2440a566def6fb138d484e3b47643)
commit 19343b779afef9048c7b52218351dd5c6a12061c
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 13:30:07 2010 -0700
Fix bug #7733 - Invalid client DOS attributes on create can cause incorrect unix mode_t to be generated.
It turns out a client can send an NTCreateX call for a new file, but specify
FILE_ATTRIBUTE_DIRECTORY in the attribute list. Windows silently strips this,
but we don't - causing the unix_mode() function to go through the "mode bits
for new directory" codepath, instead of the "mode bits for new file" codepath.
Jeremy.
(cherry picked from commit 92adb686372a9b67e47efb5b051bc351212f1780)
-----------------------------------------------------------------------
Summary of changes:
source3/include/proto.h | 4 +
source3/lib/smbldap.c | 6 +-
source3/modules/vfs_acl_common.c | 59 ++++++++++---
source3/modules/vfs_acl_tdb.c | 8 ++-
source3/modules/vfs_acl_xattr.c | 8 ++-
source3/modules/vfs_default.c | 2 +-
source3/param/loadparm.c | 6 +-
source3/smbd/open.c | 11 ++-
source3/smbd/posix_acls.c | 174 +++++++++++++++++++++++++++++++++-----
9 files changed, 231 insertions(+), 47 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 7990070..4535560 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -5151,6 +5151,10 @@ bool set_unix_posix_default_acl(connection_struct *conn, const char *fname,
uint16 num_def_acls, const char *pdata);
bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname, uint16 num_acls, const char *pdata);
struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname);
+NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
+ const char *name,
+ SMB_STRUCT_STAT *psbuf,
+ struct security_descriptor **ppdesc);
/* The following definitions come from smbd/process.c */
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index 67e3d4d..6a97b60 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -1550,7 +1550,7 @@ int smbldap_modify(struct smbldap_state *ldap_state, const char *dn, LDAPMod *at
int rc = LDAP_SERVER_DOWN;
int attempts = 0;
char *utf8_dn;
- time_t endtime = time_mono(NULL)+lp_ldap_timeout();;
+ time_t endtime = time_mono(NULL)+lp_ldap_timeout();
size_t converted_size;
SMB_ASSERT(ldap_state);
@@ -1594,7 +1594,7 @@ int smbldap_add(struct smbldap_state *ldap_state, const char *dn, LDAPMod *attrs
int rc = LDAP_SERVER_DOWN;
int attempts = 0;
char *utf8_dn;
- time_t endtime = time_mono(NULL)+lp_ldap_timeout();;
+ time_t endtime = time_mono(NULL)+lp_ldap_timeout();
size_t converted_size;
SMB_ASSERT(ldap_state);
@@ -1638,7 +1638,7 @@ int smbldap_delete(struct smbldap_state *ldap_state, const char *dn)
int rc = LDAP_SERVER_DOWN;
int attempts = 0;
char *utf8_dn;
- time_t endtime = time_mono(NULL)+lp_ldap_timeout();;
+ time_t endtime = time_mono(NULL)+lp_ldap_timeout();
size_t converted_size;
SMB_ASSERT(ldap_state);
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 10cb252..c0c7391 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -256,6 +256,10 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
uint8_t hash_tmp[XATTR_SD_HASH_SIZE];
struct security_descriptor *psd = NULL;
struct security_descriptor *pdesc_next = NULL;
+ bool ignore_file_system_acl = lp_parm_bool(SNUM(handle->conn),
+ ACL_MODULE_NAME,
+ "ignore system acls",
+ false);
if (fsp && name == NULL) {
name = fsp->fsp_name->base_name;
@@ -319,6 +323,9 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
goto out;
}
+ if (ignore_file_system_acl) {
+ goto out;
+ }
status = hash_sd_sha256(pdesc_next, hash_tmp);
if (!NT_STATUS_IS_OK(status)) {
@@ -355,28 +362,45 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
* inheritable ACE entries we have to fake them.
*/
if (fsp) {
- is_directory = fsp->is_directory;
+ status = vfs_stat_fsp(fsp);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
psbuf = &fsp->fsp_name->st;
} else {
- if (vfs_stat_smb_fname(handle->conn,
+ int ret = vfs_stat_smb_fname(handle->conn,
name,
- &sbuf) == 0) {
- is_directory = S_ISDIR(sbuf.st_ex_mode);
+ &sbuf);
+ if (ret == -1) {
+ return map_nt_error_from_unix(errno);
}
}
- if (is_directory &&
+ is_directory = S_ISDIR(sbuf.st_ex_mode);
+
+ if (ignore_file_system_acl) {
+ TALLOC_FREE(pdesc_next);
+ status = make_default_filesystem_acl(talloc_tos(),
+ name,
+ psbuf,
+ &psd);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ } else {
+ if (is_directory &&
!sd_has_inheritable_components(psd,
true)) {
- add_directory_inheritable_components(handle,
+ add_directory_inheritable_components(handle,
name,
psbuf,
psd);
+ }
+ /* The underlying POSIX module always sets
+ the ~SEC_DESC_DACL_PROTECTED bit, as ACLs
+ can't be inherited in this way under POSIX.
+ Remove it for Windows-style ACLs. */
+ psd->type &= ~SEC_DESC_DACL_PROTECTED;
}
- /* The underlying POSIX module always sets
- the ~SEC_DESC_DACL_PROTECTED bit, as ACLs
- can't be inherited in this way under POSIX.
- Remove it for Windows-style ACLs. */
- psd->type &= ~SEC_DESC_DACL_PROTECTED;
}
if (!(security_info & SECINFO_OWNER)) {
@@ -394,6 +418,13 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
TALLOC_FREE(blob.data);
*ppdesc = psd;
+
+ if (DEBUGLEVEL >= 10) {
+ DEBUG(10,("get_nt_acl_internal: returning acl for %s is:\n",
+ name ));
+ NDR_PRINT_DEBUG(security_descriptor, psd);
+ }
+
return NT_STATUS_OK;
}
@@ -893,6 +924,10 @@ static NTSTATUS create_file_acl_common(struct vfs_handle_struct *handle,
result,
&info);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
if (info != FILE_WAS_CREATED) {
/* File/directory was opened, not created. */
goto out;
@@ -900,7 +935,7 @@ static NTSTATUS create_file_acl_common(struct vfs_handle_struct *handle,
fsp = *result;
- if (!NT_STATUS_IS_OK(status) || fsp == NULL) {
+ if (fsp == NULL) {
/* Only handle success. */
goto out;
}
diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
index 8da0d1e..b26208c 100644
--- a/source3/modules/vfs_acl_tdb.c
+++ b/source3/modules/vfs_acl_tdb.c
@@ -28,6 +28,7 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_VFS
+#define ACL_MODULE_NAME "acl_tdb"
#include "modules/vfs_acl_common.c"
static unsigned int ref_count;
@@ -314,13 +315,16 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle,
return -1;
}
- /* Ensure we have "inherit acls = yes" if we're
+ /* Ensure we have the parameters correct if we're
* using this module. */
DEBUG(2,("connect_acl_tdb: setting 'inherit acls = true' "
- "and 'dos filemode = true' for service %s\n",
+ "'dos filemode = true' and "
+ "'force unknown acl user = true' for service %s\n",
service ));
+
lp_do_parameter(SNUM(handle->conn), "inherit acls", "true");
lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
+ lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");
return 0;
}
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index 18f2d42..aa7aeae 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -29,6 +29,8 @@
#define DBGC_CLASS DBGC_VFS
/* Pull in the common functions. */
+#define ACL_MODULE_NAME "acl_xattr"
+
#include "modules/vfs_acl_common.c"
/*******************************************************************
@@ -183,14 +185,16 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle,
return ret;
}
- /* Ensure we have "inherit acls = yes" if we're
+ /* Ensure we have the parameters correct if we're
* using this module. */
DEBUG(2,("connect_acl_xattr: setting 'inherit acls = true' "
- "and 'dos filemode = true' for service %s\n",
+ "'dos filemode = true' and "
+ "'force unknown acl user = true' for service %s\n",
service ));
lp_do_parameter(SNUM(handle->conn), "inherit acls", "true");
lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
+ lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");
return 0;
}
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index c290782..2cbb84c 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -217,7 +217,7 @@ static int vfswrap_mkdir(vfs_handle_struct *handle, const char *path, mode_t mo
if (lp_inherit_acls(SNUM(handle->conn))
&& parent_dirname(talloc_tos(), path, &parent, NULL)
&& (has_dacl = directory_has_default_acl(handle->conn, parent)))
- mode = 0777;
+ mode = (0777 & lp_dir_mask(SNUM(handle->conn)));
TALLOC_FREE(parent);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index d0aae40..ebfe4ca 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -6193,9 +6193,6 @@ static int add_a_service(const struct service *pservice, const char *name)
if (name) {
i = getservicebyname(name, NULL);
if (i >= 0) {
- /* Clean all parametric options for service */
- /* They will be added during parsing again */
- free_param_opts(&ServicePtrs[i]->param_opt);
return (i);
}
}
@@ -7951,6 +7948,9 @@ static bool do_section(const char *pszSectionName, void *userdata)
DEBUG(0, ("Failed to add a new service\n"));
return (False);
}
+ /* Clean all parametric options for service */
+ /* They will be added during parsing again */
+ free_param_opts(&ServicePtrs[iServiceIndex]->param_opt);
}
return (bRetval);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 2009d2a..413bc6c 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1509,6 +1509,12 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
ZERO_STRUCT(id);
+ /* Windows allows a new file to be created and
+ silently removes a FILE_ATTRIBUTE_DIRECTORY
+ sent by the client. Do the same. */
+
+ new_dos_attributes &= ~FILE_ATTRIBUTE_DIRECTORY;
+
if (conn->printer) {
/*
* Printers are handled completely differently.
@@ -1988,7 +1994,7 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
if ((flags2 & O_CREAT) && lp_inherit_acls(SNUM(conn)) &&
(def_acl = directory_has_default_acl(conn, parent_dir))) {
- unx_mode = 0777;
+ unx_mode = (0777 & lp_create_mask(SNUM(conn)));
}
DEBUG(4,("calling open_file with flags=0x%X flags2=0x%X mode=0%o, "
@@ -2466,6 +2472,9 @@ static NTSTATUS open_directory(connection_struct *conn,
SMB_ASSERT(!is_ntfs_stream_smb_fname(smb_dname));
+ /* Ensure we have a directory attribute. */
+ file_attributes |= FILE_ATTRIBUTE_DIRECTORY;
+
DEBUG(5,("open_directory: opening directory %s, access_mask = 0x%x, "
"share_access = 0x%x create_options = 0x%x, "
"create_disposition = 0x%x, file_attributes = 0x%x\n",
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index ebecd6c..c7bc4a9 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1752,6 +1752,14 @@ static bool create_canon_ace_lists(files_struct *fsp,
continue;
}
+ if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
+ DEBUG(10, ("create_canon_ace_lists: ignoring "
+ "unknown or foreign SID %s\n",
+ sid_string_dbg(&psa->trustee)));
+ SAFE_FREE(current_ace);
+ continue;
+ }
+
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
DEBUG(0, ("create_canon_ace_lists: unable to map SID "
@@ -3863,29 +3871,6 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct s
return NT_STATUS_NO_MEMORY;
}
- if((security_info_sent & SECINFO_DACL) &&
- (psd->type & SEC_DESC_DACL_PRESENT) &&
- (psd->dacl == NULL)) {
- struct security_ace ace;
-
- /* We can't have NULL DACL in POSIX.
- Use Everyone -> full access. */
-
- init_sec_ace(&ace,
- &global_sid_World,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- GENERIC_ALL_ACCESS,
- 0);
- psd->dacl = make_sec_acl(talloc_tos(),
- NT4_ACL_REVISION,
- 1,
- &ace);
- if (psd->dacl == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- security_acl_map_generic(psd->dacl, &file_generic_mapping);
- }
-
/*
* Get the current state of the file.
*/
@@ -3960,6 +3945,39 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct s
create_file_sids(&fsp->fsp_name->st, &file_owner_sid, &file_grp_sid);
+ if((security_info_sent & SECINFO_DACL) &&
+ (psd->type & SEC_DESC_DACL_PRESENT) &&
+ (psd->dacl == NULL)) {
+ struct security_ace ace[3];
+
+ /* We can't have NULL DACL in POSIX.
+ Use owner/group/Everyone -> full access. */
+
+ init_sec_ace(&ace[0],
+ &file_owner_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ GENERIC_ALL_ACCESS,
+ 0);
+ init_sec_ace(&ace[1],
+ &file_grp_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ GENERIC_ALL_ACCESS,
+ 0);
+ init_sec_ace(&ace[2],
+ &global_sid_World,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ GENERIC_ALL_ACCESS,
+ 0);
+ psd->dacl = make_sec_acl(talloc_tos(),
+ NT4_ACL_REVISION,
+ 3,
+ ace);
+ if (psd->dacl == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ security_acl_map_generic(psd->dacl, &file_generic_mapping);
+ }
+
acl_perms = unpack_canon_ace(fsp, &fsp->fsp_name->st, &file_owner_sid,
&file_grp_sid, &file_ace_list,
&dir_ace_list, security_info_sent, psd);
@@ -4804,3 +4822,113 @@ struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fna
return ret_sd;
}
+
+/* Stolen shamelessly from pvfs_default_acl() in source4 :-). */
+
+NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
+ const char *name,
+ SMB_STRUCT_STAT *psbuf,
+ struct security_descriptor **ppdesc)
+{
+ struct dom_sid owner_sid, group_sid;
+ size_t size = 0;
+ struct security_ace aces[4];
+ uint32_t access_mask = 0;
+ mode_t mode = psbuf->st_ex_mode;
+ struct security_acl *new_dacl = NULL;
+ int idx = 0;
+
+ DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
+ name, (int)mode ));
+
+ uid_to_sid(&owner_sid, psbuf->st_ex_uid);
+ gid_to_sid(&group_sid, psbuf->st_ex_gid);
+
+ /*
+ We provide up to 4 ACEs
+ - Owner
+ - Group
+ - Everyone
+ - NT System
+ */
+
+ if (mode & S_IRUSR) {
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_ALL;
+ } else {
+ access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+ }
+ }
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
+ }
+
+ init_sec_ace(&aces[idx],
+ &owner_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ access_mask,
+ 0);
+ idx++;
+
+ access_mask = 0;
+ if (mode & S_IRGRP) {
+ access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+ }
+ if (mode & S_IWGRP) {
+ /* note that delete is not granted - this matches posix behaviour */
+ access_mask |= SEC_RIGHTS_FILE_WRITE;
+ }
+ if (access_mask) {
+ init_sec_ace(&aces[idx],
+ &group_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ access_mask,
+ 0);
+ idx++;
+ }
+
+ access_mask = 0;
+ if (mode & S_IROTH) {
+ access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+ }
+ if (mode & S_IWOTH) {
+ access_mask |= SEC_RIGHTS_FILE_WRITE;
+ }
+ if (access_mask) {
+ init_sec_ace(&aces[idx],
+ &global_sid_World,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ access_mask,
+ 0);
+ idx++;
+ }
+
+ init_sec_ace(&aces[idx],
+ &global_sid_System,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_RIGHTS_FILE_ALL,
+ 0);
+ idx++;
+
+ new_dacl = make_sec_acl(ctx,
+ NT4_ACL_REVISION,
+ idx,
+ aces);
+
+ if (!new_dacl) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *ppdesc = make_sec_desc(ctx,
+ SECURITY_DESCRIPTOR_REVISION_1,
+ SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
+ &owner_sid,
+ &group_sid,
+ NULL,
+ new_dacl,
+ &size);
+ if (!*ppdesc) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_OK;
--
Samba Shared Repository
More information about the samba-cvs
mailing list