problem with check_posix_acl_group_write return value

Jeremy Allison jra at samba.org
Fri Aug 12 01:13:18 GMT 2005


On Fri, Aug 12, 2005 at 10:59:15AM +1000, James Peach wrote:
> 
> Anyway, why are you checking whether ret is 1 or 0? The return value can
> be the result of SMB_VFS_SYS_ACL_GET_PERM, which is implemented as a
> bitwise & on some platforms. So a valid return value can be ACL_WRITE
> (02 on IRIX), which I would expect to cause the user to be able to
> delete the file ...

Nope - check the invarients on check_posix_acl_group_write(). It *only*
returns -1, 0, or 1.

>From the function header :

/****************************************************************************
 Check for POSIX group ACLs. If none use stat entry.
 Return -1 if no match, 0 if match and denied, 1 if match and allowed.
****************************************************************************/

I ran into this exact problem (SMB_VFS_SYS_ACL_GET_PERM returning 2)
on Solaris, and so check out this code in the check_posix_acl_group_write() function :

                /*
                 * Solaris returns 2 for this if write is available.
                 * canonicalize to 0 or 1.
                 */
                have_write = (have_write ? 1 : 0);

Please don't change it unless you can show me :-) a gdb backtrace
with this code failing.

Jeremy.


More information about the samba-technical mailing list