[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Wed Jan 11 11:25:02 MST 2012


The branch, master has been updated
       via  f15cf91 Second part of fix for bug #8673 - NT ACL issue.
       via  6aafd86 First part of fix for bug #8673 - NT ACL issue.
      from  d7dcbcc lib/param: avoid talloc_reference() in copy_service()

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f15cf9176df974c8a460db3ce74abf38d3f552ae
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 10 12:58:13 2012 -0800

    Second part of fix for bug #8673 - NT ACL issue.
    
    Ensure we process the entire ACE list instead of returning ACCESS_DENIED
    and terminating the walk - ensure we only return the exact bits that cause
    the access to be denied. Some of the S3 fileserver needs to know if we
    are only denied DELETE access before overriding it by looking at the
    containing directory ACL.
    
    Autobuild-User: Jeremy Allison <jra at samba.org>
    Autobuild-Date: Wed Jan 11 19:24:53 CET 2012 on sn-devel-104

commit 6aafd8684b92eede3c83f1af49c23cef2deb7e03
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 10 12:52:01 2012 -0800

    First part of fix for bug #8673 - NT ACL issue.
    
    Simplify the logic in the unlink/rmdir calls - makes it readable
    (and correct).

-----------------------------------------------------------------------

Summary of changes:
 libcli/security/access_check.c   |    7 +++--
 source3/modules/vfs_acl_common.c |   49 ++++++++++++++++++++++++--------------
 2 files changed, 35 insertions(+), 21 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 6bb64ae..1b02a86 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -158,6 +158,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 {
 	uint32_t i;
 	uint32_t bits_remaining;
+	uint32_t explicitly_denied_bits = 0;
 
 	*access_granted = access_desired;
 	bits_remaining = access_desired;
@@ -232,15 +233,15 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 			break;
 		case SEC_ACE_TYPE_ACCESS_DENIED:
 		case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
-			if (bits_remaining & ace->access_mask) {
-				return NT_STATUS_ACCESS_DENIED;
-			}
+			explicitly_denied_bits |= (bits_remaining & ace->access_mask);
 			break;
 		default:	/* Other ACE types not handled/supported */
 			break;
 		}
 	}
 
+	bits_remaining |= explicitly_denied_bits;
+
 done:
 	if (bits_remaining != 0) {
 		*access_granted = bits_remaining;
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index bf535c5..e162bb9 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -647,17 +647,23 @@ static int rmdir_acl_common(struct vfs_handle_struct *handle,
 {
 	int ret;
 
+	/* Try the normal rmdir first. */
 	ret = SMB_VFS_NEXT_RMDIR(handle, path);
-	if (!(ret == -1 && (errno == EACCES || errno == EPERM))) {
-		DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n",
-			path,
-			strerror(errno) ));
-		return ret;
+	if (ret == 0) {
+		return 0;
+	}
+	if (errno == EACCES || errno == EPERM) {
+		/* Failed due to access denied,
+		   see if we need to root override. */
+		return acl_common_remove_object(handle,
+						path,
+						true);
 	}
 
-	return acl_common_remove_object(handle,
-					path,
-					true);
+	DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n",
+		path,
+		strerror(errno) ));
+	return -1;
 }
 
 static int unlink_acl_common(struct vfs_handle_struct *handle,
@@ -665,21 +671,28 @@ static int unlink_acl_common(struct vfs_handle_struct *handle,
 {
 	int ret;
 
+	/* Try the normal unlink first. */
 	ret = SMB_VFS_NEXT_UNLINK(handle, smb_fname);
-	if (!(ret == -1 && (errno == EACCES || errno == EPERM))) {
-		DEBUG(10,("unlink_acl_common: unlink of %s failed %s\n",
-			smb_fname->base_name,
-			strerror(errno) ));
-		return ret;
-	}
-	/* Don't do anything fancy for streams. */
-	if (smb_fname->stream_name) {
-		return ret;
+	if (ret == 0) {
+		return 0;
 	}
+	if (errno == EACCES || errno == EPERM) {
+		/* Failed due to access denied,
+		   see if we need to root override. */
 
-	return acl_common_remove_object(handle,
+		/* Don't do anything fancy for streams. */
+		if (smb_fname->stream_name) {
+			return -1;
+		}
+		return acl_common_remove_object(handle,
 					smb_fname->base_name,
 					false);
+	}
+
+	DEBUG(10,("unlink_acl_common: unlink of %s failed %s\n",
+		smb_fname->base_name,
+		strerror(errno) ));
+	return -1;
 }
 
 static int chmod_acl_module_common(struct vfs_handle_struct *handle,


-- 
Samba Shared Repository


More information about the samba-cvs mailing list