[PATCH][samba-4.0 only] fix the share-ACL handling

Peter Somogyi PSOMOGYI at hu.ibm.com
Tue Jun 14 16:48:08 UTC 2016


I don't know whether samba-4.0 is still open for any change, but let me 
attach a 1-liner fix with a reproducer (tested win7, win2012, all other 
samba level - they all survive except samba-4.0).
In a nutshell, the problem is that share-ACLs won't restrict users in 
changing ACLs.

Alternative was to remove the "csal" structure completely from samba-4.0 
by picking some of the samba-4.1 patches (loosing 3.6 VFS ABI 
compatibility), however I failed to figure out exactly which set of 
patches would surely work stable in production, and feared of removal of 
this "csal" structure just on my own in a historical code. 

All in all, a hard test effort is unavoidable after touching this area.

Peter Somogyi
IBM Magyarországi Kft.
1117 Budapest
Infopark, Neumann János u. 1.
Phone: +36 1 382 5469

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-samba-4.0-fix-connection-share-access-list-init.patch
Type: application/octet-stream
Size: 774 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160614/a7f56b5b/0001-samba-4.0-fix-connection-share-access-list-init.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-torture-recreate-a-share-security-issue-for-samba-4.patch
Type: application/octet-stream
Size: 13664 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160614/a7f56b5b/0001-torture-recreate-a-share-security-issue-for-samba-4.obj>

More information about the samba-technical mailing list