When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER and SMB_ACL_GROUP entries.
Jeremy Allison
jra at samba.org
Fri Oct 5 15:36:44 MDT 2012
On Sat, Oct 06, 2012 at 07:27:28AM +1000, Andrew Bartlett wrote:
> On Fri, 2012-10-05 at 08:44 -0700, Jeremy Allison wrote:
> > On Fri, Oct 05, 2012 at 06:01:08PM +1000, Andrew Bartlett wrote:
> > > On Tue, 2012-10-02 at 22:28 +0200, Jeremy Allison wrote:
> > > > commit 6575d1d34fee45c7a965c7c9641cc52b566a9e7f
> > > > Author: Jeremy Allison <jra at samba.org>
> > > > Date: Tue Oct 2 10:15:54 2012 -0700
> > > >
> > > > When setting a non-default ACL, don't forget to apply masks to
> > > > SMB_ACL_USER and SMB_ACL_GROUP entries.
> > >
> > > Jeremy,
> > >
> > > With this change, does this mean we have changed the mapping between
> > > posix ACLs and NT ACLs?
> > >
> > > If so, I'm concerned that any NT ACLs that have been set with
> > > vfs_acl_xattr will be invalidated, as the hash won't match up.
> >
> > Andrew, it *never* matters on set, it only matters on get.
> >
> > On set we will a re-hash, so changing the mapping on sets
> > doesn't matter.
>
> Sure, but this code seems to be in the get codepath,
> ensure_canon_entry_valid() is called via canonicalise_acl() from
> posix_get_nt_acl_common().
static bool ensure_canon_entry_valid(connection_struct *conn,
canon_ace **pp_ace,
bool is_default_acl,
const struct share_params *params,
const bool is_directory,
const struct dom_sid *pfile_owner_sid,
const struct dom_sid *pfile_grp_sid,
const SMB_STRUCT_STAT *pst,
bool setting_acl)
Note the last bool parameter, which is only true when we're
setting an ACL.
More information about the samba-technical
mailing list