[SCM] Samba Shared Repository - branch v3-5-test updated

Karolin Seeger kseeger at samba.org
Sat Jan 21 13:11:24 MST 2012


The branch, v3-5-test has been updated
       via  a509cda Second part of fix for bug #8673 - NT ACL issue.
       via  c333e7a First part of fix for bug #8673 - NT ACL issue.
      from  42bcd6a Third part of fix for bug #8663 - deleting a symlink fails if the symlink target is outside of the share.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test


- Log -----------------------------------------------------------------
commit a509cda3794e8b3ba49d0e86d4aee962b3bd9309
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 10 14:43:04 2012 -0800

    Second part of fix for bug #8673 - NT ACL issue.
    
    Ensure we process the entire ACE list instead of returning ACCESS_DENIED
    and terminating the walk - ensure we only return the exact bits that cause
    the access to be denied. Some of the S3 fileserver needs to know if we
    are only denied DELETE access before overriding it by looking at the
    containing directory ACL.

commit c333e7ad01fb63c9682526799b2571cac251b76e
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 10 13:41:55 2012 -0800

    First part of fix for bug #8673 - NT ACL issue.
    
    Simplify the logic in the unlink/rmdir calls - makes it readable
    (and correct). Add some debug.

-----------------------------------------------------------------------

Summary of changes:
 source3/lib/util_seaccess.c      |    7 +++--
 source3/modules/vfs_acl_common.c |   52 ++++++++++++++++++++++++-------------
 2 files changed, 38 insertions(+), 21 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index 058bf32..9f8d3fa 100644
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -158,6 +158,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 {
 	int i;
 	uint32_t bits_remaining;
+	uint32_t explicitly_denied_bits = 0;
 
 	*access_granted = access_desired;
 	bits_remaining = access_desired;
@@ -223,15 +224,15 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
 			break;
 		case SEC_ACE_TYPE_ACCESS_DENIED:
 		case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
-			if (bits_remaining & ace->access_mask) {
-				return NT_STATUS_ACCESS_DENIED;
-			}
+			explicitly_denied_bits |= (bits_remaining & ace->access_mask);
 			break;
 		default:	/* Other ACE types not handled/supported */
 			break;
 		}
 	}
 
+	bits_remaining |= explicitly_denied_bits;
+
 done:
 	if (bits_remaining != 0) {
 		*access_granted = bits_remaining;
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index e8c79e6..17e1874 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -626,8 +626,11 @@ static int open_acl_common(vfs_handle_struct *handle,
 					&access_granted);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(10,("open_acl_xattr: %s open "
+				"for access 0x%x (0x%x) "
 				"refused with error %s\n",
 				fsp_str_dbg(fsp),
+				(unsigned int)fsp->access_mask,
+				(unsigned int)access_granted,
 				nt_errstr(status) ));
 			goto err;
 		}
@@ -911,17 +914,23 @@ static int rmdir_acl_common(struct vfs_handle_struct *handle,
 {
 	int ret;
 
+	/* Try the normal rmdir first. */
 	ret = SMB_VFS_NEXT_RMDIR(handle, path);
-	if (!(ret == -1 && (errno == EACCES || errno == EPERM))) {
-		DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n",
-			path,
-			strerror(errno) ));
-		return ret;
+	if (ret == 0) {
+		return 0;
+	}
+	if (errno == EACCES || errno == EPERM) {
+		/* Failed due to access denied,
+		   see if we need to root override. */
+		return acl_common_remove_object(handle,
+						path,
+						true);
 	}
 
-	return acl_common_remove_object(handle,
-					path,
-					true);
+	DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n",
+		path,
+		strerror(errno) ));
+	return -1;
 }
 
 static NTSTATUS create_file_acl_common(struct vfs_handle_struct *handle,
@@ -1039,21 +1048,28 @@ static int unlink_acl_common(struct vfs_handle_struct *handle,
 {
 	int ret;
 
+	/* Try the normal unlink first. */
 	ret = SMB_VFS_NEXT_UNLINK(handle, smb_fname);
-	if (!(ret == -1 && (errno == EACCES || errno == EPERM))) {
-		DEBUG(10,("unlink_acl_common: unlink of %s failed %s\n",
-			smb_fname->base_name,
-			strerror(errno) ));
-		return ret;
-	}
-	/* Don't do anything fancy for streams. */
-	if (smb_fname->stream_name) {
-		return ret;
+	if (ret == 0) {
+		return 0;
 	}
+	if (errno == EACCES || errno == EPERM) {
+		/* Failed due to access denied,
+		   see if we need to root override. */
 
-	return acl_common_remove_object(handle,
+		/* Don't do anything fancy for streams. */
+		if (smb_fname->stream_name) {
+			return -1;
+		}
+		return acl_common_remove_object(handle,
 					smb_fname->base_name,
 					false);
+	}
+
+	DEBUG(10,("unlink_acl_common: unlink of %s failed %s\n",
+		smb_fname->base_name,
+		strerror(errno) ));
+	return -1;
 }
 
 static int chmod_acl_module_common(struct vfs_handle_struct *handle,


-- 
Samba Shared Repository


More information about the samba-cvs mailing list