Removing all ACEs in posix_acl.c ?

Ravi Wijayaratne ravi_wija at yahoo.com
Wed Sep 17 18:02:15 GMT 2003 

Hi Jeremy

Here is a patch which handles a few problems I noticed in posix_acl.c

Problem 1.
One cannot delete all ACEs.
Rationale for the fix:
Effectively all ACEs should get no access except the owners access and
default ACEs. If we receive a security descriptor with no ACEs in the DACL
but DACL present flag set (DACL_SECUTITY_INFORMATION) that implies that all
ACEs for this ACL was removed. However in samba 3.0 tip, there is a comment
as "W2k traverse DACL set -- ignore" in line 3344 and this case is ignored
True. I do not know the reason for the comment. How can I generate the
case specified by the comment ?
I added code here to call ensure_canon_entry_valid(..) so that the POSIX
or other default ACL semantics can be preserved if access and default
acls are NULL.


Problem 2.
in create_pai_buf, when packing the information to the disk based PAI buf
the default and access ACLs are switched. As per specification in the
comment above and create_pai_entries(..) the attribute info for the access ACL
should come before the default ACL in the PAI buf. In create_pai_buf this is
reversed.

Hope this helps

Thank you
Ravi

------------------0x --------- patch -------------x0 -----------------


--- source/smbd/posix_acls.c.orig       2003-09-17 07:51:39.000000000 +0800
+++ source/smbd/posix_acls.c    2003-09-18 03:10:12.000000000 +0800
@@ -179,7 +179,8 @@

        entry_offset = pai_buf + PAI_ENTRIES_BASE;

-       for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
+
+       for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
                if (ace_list->inherited) {
                        uint8 type_val = (unsigned char)ace_list->owner_type;
                        uint32 entry_val = get_entry_val(ace_list);
@@ -190,7 +191,7 @@
                }
        }

-       for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
+       for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
                if (ace_list->inherited) {
                        uint8 type_val = (unsigned char)ace_list->owner_type;
                        uint32 entry_val = get_entry_val(ace_list);
@@ -1920,7 +1921,7 @@

        if ((file_ace == NULL) && (dir_ace == NULL)) {
                /* W2K traverse DACL set - ignore. */
-               return True;
+               goto set_defaults;
        }

        /*
@@ -1960,6 +1961,7 @@
         * A default 3 element mode entry for a directory should be rwx --- ---.         */

+set_defaults:
        pst->st_mode = create_default_mode(fsp, False);

        if (!ensure_canon_entry_valid(&file_ace, fsp, pfile_owner_sid, pfile_grp_sid, pst, True))
{
@@ -1978,7 +1980,7 @@

        pst->st_mode = create_default_mode(fsp, True);

-       if (dir_ace && !ensure_canon_entry_valid(&dir_ace, fsp, pfile_owner_sid, pfile_grp_sid,
pst, True)) {
+       if (!ensure_canon_entry_valid(&dir_ace, fsp, pfile_owner_sid, pfile_grp_sid, pst, True)) {
                free_canon_ace_list(file_ace);
                free_canon_ace_list(dir_ace);
                return False;




=====
------------------------------
Ravi Wijayaratne

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

More information about the samba-technical mailing list