Author: jra Date: 2005-06-28 21:48:09 +0000 (Tue, 28 Jun 2005) New Revision: 7985
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=7985 Log: Add "acl map full control", true by default, to allow people to change mapping of rwx to full control or not. Requested feature at SambaXP. Jeremy. Modified: branches/SAMBA_3_0/source/param/loadparm.c branches/SAMBA_3_0/source/smbd/posix_acls.c Changeset: Modified: branches/SAMBA_3_0/source/param/loadparm.c =================================================================== --- branches/SAMBA_3_0/source/param/loadparm.c 2005-06-28 21:48:06 UTC (rev 7984) +++ branches/SAMBA_3_0/source/param/loadparm.c 2005-06-28 21:48:09 UTC (rev 7985) @@ -437,6 +437,7 @@ BOOL bAfs_Share; BOOL bEASupport; BOOL bAclCheckPermissions; + BOOL bAclMapFullControl; int iallocation_roundup_size; int iAioReadSize; int iAioWriteSize; @@ -568,6 +569,7 @@ False, /* bAfs_Share */ False, /* bEASupport */ True, /* bAclCheckPermissions */ + True, /* bAclMapFullControl */ SMB_ROUNDUP_ALLOCATION_SIZE, /* iallocation_roundup_size */ 0, /* iAioReadSize */ 0, /* iAioWriteSize */ @@ -874,6 +876,7 @@ {"writable", P_BOOLREV, P_LOCAL, &sDefault.bRead_only, NULL, NULL, FLAG_HIDE}, {"acl check permissions", P_BOOL, P_LOCAL, &sDefault.bAclCheckPermissions, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, + {"acl map full control", P_BOOL, P_LOCAL, &sDefault.bAclMapFullControl, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, {"create mask", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, {"create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL, FLAG_HIDE}, {"force create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_force_mode, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE}, @@ -1979,6 +1982,7 @@ FN_LOCAL_BOOL(lp_map_acl_inherit, bMap_acl_inherit) FN_LOCAL_BOOL(lp_afs_share, bAfs_Share) FN_LOCAL_BOOL(lp_acl_check_permissions, bAclCheckPermissions) +FN_LOCAL_BOOL(lp_acl_map_full_control, bAclMapFullControl) FN_LOCAL_INTEGER(lp_create_mask, iCreate_mask) FN_LOCAL_INTEGER(lp_force_create_mode, iCreate_force_mode) FN_LOCAL_INTEGER(lp_security_mask, iSecurity_mask) Modified: branches/SAMBA_3_0/source/smbd/posix_acls.c =================================================================== --- branches/SAMBA_3_0/source/smbd/posix_acls.c 2005-06-28 21:48:06 UTC (rev 7984) +++ branches/SAMBA_3_0/source/smbd/posix_acls.c 2005-06-28 21:48:09 UTC (rev 7985) @@ -801,14 +801,14 @@ not get. Deny entries are implicit on get with ace->perms = 0. ****************************************************************************/ -static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace *ace, BOOL directory_ace) +static SEC_ACCESS map_canon_ace_perms(int snum, int *pacl_type, DOM_SID *powner_sid, canon_ace *ace, BOOL directory_ace) { SEC_ACCESS sa; uint32 nt_mask = 0; *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED; - if ((ace->perms & ALL_ACE_PERMS) == ALL_ACE_PERMS) { + if (lp_acl_map_full_control(snum) && ((ace->perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) { if (directory_ace) { nt_mask = UNIX_DIRECTORY_ACCESS_RWX; } else { @@ -2711,7 +2711,7 @@ * Get the owner, group and world SIDs. */ - if (lp_profile_acls(SNUM(fsp->conn))) { + if (lp_profile_acls(SNUM(conn))) { /* For WXP SP1 the owner must be administrators. */ sid_copy(&owner_sid, &global_sid_Builtin_Administrators); sid_copy(&group_sid, &global_sid_Builtin_Users); @@ -2825,12 +2825,12 @@ for (i = 0; i < num_acls; i++, ace = ace->next) { SEC_ACCESS acc; - acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace, fsp->is_directory); + acc = map_canon_ace_perms(SNUM(conn), &nt_acl_type, &owner_sid, ace, fsp->is_directory); init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc, ace->inherited ? SEC_ACE_FLAG_INHERITED_ACE : 0); } /* The User must have access to a profile share - even if we can't map the SID. */ - if (lp_profile_acls(SNUM(fsp->conn))) { + if (lp_profile_acls(SNUM(conn))) { SEC_ACCESS acc; init_sec_access(&acc,FILE_GENERIC_ALL); @@ -2843,7 +2843,7 @@ for (i = 0; i < num_def_acls; i++, ace = ace->next) { SEC_ACCESS acc; - acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace, fsp->is_directory); + acc = map_canon_ace_perms(SNUM(conn), &nt_acl_type, &owner_sid, ace, fsp->is_directory); init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT| SEC_ACE_FLAG_INHERIT_ONLY| @@ -2851,7 +2851,7 @@ } /* The User must have access to a profile share - even if we can't map the SID. */ - if (lp_profile_acls(SNUM(fsp->conn))) { + if (lp_profile_acls(SNUM(conn))) { SEC_ACCESS acc; init_sec_access(&acc,FILE_GENERIC_ALL);
