[PATCH] smbcacls revision fix

Thu Jul 29 04:30:06 GMT 2004

Hi everyone,

I started using smbcacls and it worked great for everything except the 
set (-S) feature.

After some time spent with the code and a packet sniffer I found that 
all of the other functions read in the existing dacl, modify it and 
write it back. The set function creates a new one.

The revision number on the dacl that gets read from the server is 2, 
while the version number in set's created dacl is 3. I changed the 
created dacl to 2 and it works perfectly now.

It may or may not be relevant, but I am using and testing this against a 
NetApp Filer, and not a standard NT/2000 system. I also popped in a few 
extra snippets of code.

Neil
-------------- next part --------------

--- samba-3.0.5/source/utils/smbcacls.c	2004-07-21 01:28:15.000000000 +0900
+++ samba-3.0.5.new/source/utils/smbcacls.c	2004-07-29 13:03:32.684864224 +0900
@@ -321,7 +321,7 @@
 	SEC_ACL *new;
 	SEC_ACE *aces;
 	if (! *the_acl) {
-		(*the_acl) = make_sec_acl(ctx, 3, 1, ace);
+		(*the_acl) = make_sec_acl(ctx, 2, 1, ace);
 		return True;
 	}
 
@@ -591,25 +591,30 @@
 	if (!sd) return EXIT_PARSE_ERROR;
 	if (test_args) return EXIT_OK;
 
-	/* The desired access below is the only one I could find that works
-	   with NT4, W2KP and Samba */
-
-	fnum = cli_nt_create(cli, filename, CREATE_ACCESS_READ);
-
-	if (fnum == -1) {
-		printf("cacl_set failed to open %s: %s\n", filename, cli_errstr(cli));
-		return EXIT_FAILED;
-	}
-
-	old = cli_query_secdesc(cli, fnum, ctx);
-
-	if (!old) {
-		printf("calc_set: Failed to query old descriptor\n");
-		return EXIT_FAILED;
+	/* Skip over a call to the server for old information if we are just going
+	   to overwrite it anyway */
+	   
+	if(mode != SMB_ACL_SET) {
+		/* The desired access below is the only one I could find that works
+		   with NT4, W2KP and Samba */
+	
+		fnum = cli_nt_create(cli, filename, CREATE_ACCESS_READ);
+	
+		if (fnum == -1) {
+			printf("cacl_set failed to open %s: %s\n", filename, cli_errstr(cli));
+			return EXIT_FAILED;
+		}
+	
+		old = cli_query_secdesc(cli, fnum, ctx);
+	
+		if (!old) {
+			printf("calc_set: Failed to query old descriptor\n");
+			return EXIT_FAILED;
+		}
+	
+		cli_close(cli, fnum);
 	}
 
-	cli_close(cli, fnum);
-
 	/* the logic here is rather more complex than I would like */
 	switch (mode) {
 	case SMB_ACL_DELETE:
@@ -682,6 +687,11 @@
 	sd = make_sec_desc(ctx,old->revision, old->type, NULL, NULL,
 			   NULL, old->dacl, &sd_size);
 
+	if(!sd) {
+		printf("cacl_set: unable to make a security descriptor\n");
+		return EXIT_FAILED;
+	}
+
 	fnum = cli_nt_create(cli, filename, WRITE_DAC_ACCESS);
 
 	if (fnum == -1) {
