[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Wed Jan 11 11:25:02 MST 2012
The branch, master has been updated
via f15cf91 Second part of fix for bug #8673 - NT ACL issue.
via 6aafd86 First part of fix for bug #8673 - NT ACL issue.
from d7dcbcc lib/param: avoid talloc_reference() in copy_service()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f15cf9176df974c8a460db3ce74abf38d3f552ae
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 10 12:58:13 2012 -0800
Second part of fix for bug #8673 - NT ACL issue.
Ensure we process the entire ACE list instead of returning ACCESS_DENIED
and terminating the walk - ensure we only return the exact bits that cause
the access to be denied. Some of the S3 fileserver needs to know if we
are only denied DELETE access before overriding it by looking at the
containing directory ACL.
Autobuild-User: Jeremy Allison <jra at samba.org>
Autobuild-Date: Wed Jan 11 19:24:53 CET 2012 on sn-devel-104
commit 6aafd8684b92eede3c83f1af49c23cef2deb7e03
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 10 12:52:01 2012 -0800
First part of fix for bug #8673 - NT ACL issue.
Simplify the logic in the unlink/rmdir calls - makes it readable
(and correct).
-----------------------------------------------------------------------
Summary of changes:
libcli/security/access_check.c | 7 +++--
source3/modules/vfs_acl_common.c | 49 ++++++++++++++++++++++++--------------
2 files changed, 35 insertions(+), 21 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 6bb64ae..1b02a86 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -158,6 +158,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
{
uint32_t i;
uint32_t bits_remaining;
+ uint32_t explicitly_denied_bits = 0;
*access_granted = access_desired;
bits_remaining = access_desired;
@@ -232,15 +233,15 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
break;
case SEC_ACE_TYPE_ACCESS_DENIED:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
- if (bits_remaining & ace->access_mask) {
- return NT_STATUS_ACCESS_DENIED;
- }
+ explicitly_denied_bits |= (bits_remaining & ace->access_mask);
break;
default: /* Other ACE types not handled/supported */
break;
}
}
+ bits_remaining |= explicitly_denied_bits;
+
done:
if (bits_remaining != 0) {
*access_granted = bits_remaining;
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index bf535c5..e162bb9 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -647,17 +647,23 @@ static int rmdir_acl_common(struct vfs_handle_struct *handle,
{
int ret;
+ /* Try the normal rmdir first. */
ret = SMB_VFS_NEXT_RMDIR(handle, path);
- if (!(ret == -1 && (errno == EACCES || errno == EPERM))) {
- DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n",
- path,
- strerror(errno) ));
- return ret;
+ if (ret == 0) {
+ return 0;
+ }
+ if (errno == EACCES || errno == EPERM) {
+ /* Failed due to access denied,
+ see if we need to root override. */
+ return acl_common_remove_object(handle,
+ path,
+ true);
}
- return acl_common_remove_object(handle,
- path,
- true);
+ DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n",
+ path,
+ strerror(errno) ));
+ return -1;
}
static int unlink_acl_common(struct vfs_handle_struct *handle,
@@ -665,21 +671,28 @@ static int unlink_acl_common(struct vfs_handle_struct *handle,
{
int ret;
+ /* Try the normal unlink first. */
ret = SMB_VFS_NEXT_UNLINK(handle, smb_fname);
- if (!(ret == -1 && (errno == EACCES || errno == EPERM))) {
- DEBUG(10,("unlink_acl_common: unlink of %s failed %s\n",
- smb_fname->base_name,
- strerror(errno) ));
- return ret;
- }
- /* Don't do anything fancy for streams. */
- if (smb_fname->stream_name) {
- return ret;
+ if (ret == 0) {
+ return 0;
}
+ if (errno == EACCES || errno == EPERM) {
+ /* Failed due to access denied,
+ see if we need to root override. */
- return acl_common_remove_object(handle,
+ /* Don't do anything fancy for streams. */
+ if (smb_fname->stream_name) {
+ return -1;
+ }
+ return acl_common_remove_object(handle,
smb_fname->base_name,
false);
+ }
+
+ DEBUG(10,("unlink_acl_common: unlink of %s failed %s\n",
+ smb_fname->base_name,
+ strerror(errno) ));
+ return -1;
}
static int chmod_acl_module_common(struct vfs_handle_struct *handle,
--
Samba Shared Repository
More information about the samba-cvs
mailing list