The branch, master has been updated
via a390a58 scripting ntacls: Do not place a SACL in the GPO filesystem
ACL
via 3e2584a ntvfs: Fill in sd->type based on the new ACL being added
via d6c7e9b smbd: Remove NT4 compatability handling in posix -> NT ACL
conversion
via 236977b Change get_nt_acl_no_snum() to return an NTSTATUS, not a
struct security_descriptor *.
via a443429 smbd: Correctly set fsp->is_directory before dealing with
ACLs
via dc05ab8 Ensure we Correctly set fsp->is_directory before dealing
with ACLs.
from 6f47497 lib/ldb: add missing newline in the output of
ldb_ldif_write_trace()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a390a5878db627a7f0147699fff97a39013816dc
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Nov 13 16:03:27 2012 +1100
scripting ntacls: Do not place a SACL in the GPO filesystem ACL
On a new GPO created on windows, the SACL is not used.
Andrew Bartlett
Reviewed by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Wed Nov 14 00:34:50 CET 2012 on sn-devel-104
commit 3e2584a86cc610c000f70105f39e7f3fa881aded
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Nov 13 16:45:03 2012 +1100
ntvfs: Fill in sd->type based on the new ACL being added
Previously we would not change the type field, and just relied on what
was in the original ACL based on the default SD.
This is required to ensure the SEC_DESC_DACL_PROTECTED is set
which is in turn required for GPOs to be set correctly
to match what windows does.
Andrew Bartlett
Reviewed by: Jeremy Allison <j...@samba.org>
commit d6c7e9b1ed6f7befbb2239350bba4547ef781e58
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Nov 12 17:11:34 2012 +1100
smbd: Remove NT4 compatability handling in posix -> NT ACL conversion
NT4 is long dead, and we should not change which ACL we return based
on what we think the client is. The reason we should not do this, is
that if we are using vfs_acl_xattr then the hash will break if we do.
Additionally, it would require that the python VFS interface set the
global remote_arch to fake up being a modern client.
This instead seems cleaner and removes untested code (the tests are
updated to then handle the results of the modern codepath).
The supporting 'acl compatability' parameter is also removed.
Andrew Bartlett
Reviewed by: Jeremy Allison <j...@samba.org>
commit 236977bf4642c035bb22cfcd1cee481c5f6c6da1
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Nov 13 12:48:53 2012 -0800
Change get_nt_acl_no_snum() to return an NTSTATUS, not a struct
security_descriptor *.
Internally change the implementation to use SMB_VFS_GET_NT_ACL()
instead of SMB_VFS_FGET_NT_ACL() with a faked-up file struct.
Andrew Bartlett
Reviewed by: Jeremy Allison <j...@samba.org>
commit a4434297f19a3520d0f2ac242d4e99576d927ecc
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Nov 13 12:34:35 2012 -0800
smbd: Correctly set fsp->is_directory before dealing with ACLs
Change set_nt_acl_no_snum() to correctly set up the fsp.
This does a stat on a real fsp in set_nt_acl_no_snum.
Reviewed by: Jeremy Allison <j...@samba.org>
commit dc05ab8e19a26265ace720528f7e9341aea62ee2
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Nov 13 12:21:45 2012 -0800
Ensure we Correctly set fsp->is_directory before dealing with ACLs.
Reviewed by: Jeremy Allison <j...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/vfs/aclcompatibility.xml | 17 --
lib/param/param_functions.c | 1 -
lib/param/param_table.c | 19 ---
source3/include/proto.h | 1 -
source3/rpc_server/eventlog/srv_eventlog_nt.c | 11 +-
source3/smbd/posix_acls.c | 170 +++-------------------
source3/smbd/proto.h | 4 +-
source3/smbd/pysmbd.c | 29 ++++-
source3/torture/cmd_vfs.c | 2 +-
source4/libcli/pysmb.c | 7 +-
source4/ntvfs/posix/pvfs_acl.c | 21 +++
source4/scripting/python/samba/ntacls.py | 1 -
source4/scripting/python/samba/tests/posixacl.py | 12 +-
13 files changed, 91 insertions(+), 204 deletions(-)
delete mode 100644 docs-xml/smbdotconf/vfs/aclcompatibility.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/vfs/aclcompatibility.xml
b/docs-xml/smbdotconf/vfs/aclcompatibility.xml
deleted file mode 100644
index 95f42cf..0000000
--- a/docs-xml/smbdotconf/vfs/aclcompatibility.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-<samba:parameter name="acl compatibility"
- context="G"
- type="enum"
- advanced="1" developer="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
-<description>
- <para>This parameter specifies what OS ACL semantics should
- be compatible with. Possible values are <emphasis>winnt</emphasis> for
Windows NT 4,
- <emphasis>win2k</emphasis> for Windows 2000 and above and
<emphasis>auto</emphasis>.
- If you specify <emphasis>auto</emphasis>, the value for this parameter
- will be based upon the version of the client. There should
- be no reason to change this parameter from the default.</para>
-</description>
-
-<value type="default">Auto</value>
-<value type="example">win2k</value>
-</samba:parameter>
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index d5cd018..94652fa 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -266,7 +266,6 @@ FN_GLOBAL_CONST_STRING(winbindd_socket_directory,
szWinbinddSocketDirectory)
FN_GLOBAL_CONST_STRING(winbind_separator, szWinbindSeparator)
FN_GLOBAL_CONST_STRING(workgroup, szWorkgroup)
FN_GLOBAL_CONST_STRING(wtmpdir, szWtmpDir)
-FN_GLOBAL_INTEGER(acl_compatibility, iAclCompat)
FN_GLOBAL_INTEGER(afs_token_lifetime, iAfsTokenLifetime)
FN_GLOBAL_INTEGER(algorithmic_rid_base, AlgorithmicRidBase)
FN_GLOBAL_INTEGER(allow_dns_updates, allow_dns_updates)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 01f65fe..a73cd96 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -180,16 +180,6 @@ static const struct enum_list enum_kerberos_method[] = {
{-1, NULL}
};
-
-/* ACL compatibility options. */
-static const struct enum_list enum_acl_compat_vals[] = {
- { ACL_COMPAT_AUTO, "auto" },
- { ACL_COMPAT_WINNT, "winnt" },
- { ACL_COMPAT_WIN2K, "win2k" },
- { -1, NULL}
-};
-
-
static const struct enum_list enum_printing[] = {
{PRINT_SYSV, "sysv"},
{PRINT_AIX, "aix"},
@@ -1459,15 +1449,6 @@ static struct parm_struct parm_table[] = {
.flags = FLAG_ADVANCED,
},
{
- .label = "acl compatibility",
- .type = P_ENUM,
- .p_class = P_GLOBAL,
- .offset = GLOBAL_VAR(iAclCompat),
- .special = NULL,
- .enum_list = enum_acl_compat_vals,
- .flags = FLAG_ADVANCED | FLAG_SHARE | FLAG_GLOBAL,
- },
- {
.label = "defer sharing violations",
.type = P_BOOL,
.p_class = P_GLOBAL,
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 7c5a5a7..5f3d937 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1068,7 +1068,6 @@ char *lp_wins_hook(TALLOC_CTX *ctx);
const char *lp_template_homedir(void);
const char *lp_template_shell(void);
const char *lp_winbind_separator(void);
-int lp_acl_compatibility(void);
bool lp_winbind_enum_users(void);
bool lp_winbind_enum_groups(void);
bool lp_winbind_use_default_domain(void);
diff --git a/source3/rpc_server/eventlog/srv_eventlog_nt.c
b/source3/rpc_server/eventlog/srv_eventlog_nt.c
index a05ea3f..a3e719a 100644
--- a/source3/rpc_server/eventlog/srv_eventlog_nt.c
+++ b/source3/rpc_server/eventlog/srv_eventlog_nt.c
@@ -91,12 +91,15 @@ static bool elog_check_access( EVENTLOG_INFO *info, const
struct security_token
/* get the security descriptor for the file */
- sec_desc = get_nt_acl_no_snum( info, tdbname, SECINFO_OWNER |
SECINFO_GROUP | SECINFO_DACL);
+ status = get_nt_acl_no_snum( info,
+ tdbname,
+ SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL,
+ &sec_desc);
TALLOC_FREE( tdbname );
- if ( !sec_desc ) {
- DEBUG(5,("elog_check_access: Unable to get NT ACL for %s\n",
- tdbname));
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(5,("elog_check_access: Unable to get NT ACL for %s: %s\n",
+ tdbname, nt_errstr(status)));
return False;
}
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index d46a16d..b8e0d4a 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1059,24 +1059,6 @@ static void merge_aces( canon_ace **pp_list_head, bool
dir_acl)
}
/****************************************************************************
- Check if we need to return NT4.x compatible ACL entries.
-****************************************************************************/
-
-bool nt4_compatible_acls(void)
-{
- int compat = lp_acl_compatibility();
-
- if (compat == ACL_COMPAT_AUTO) {
- enum remote_arch_types ra_type = get_remote_arch();
-
- /* Automatically adapt to client */
- return (ra_type <= RA_WINNT);
- } else
- return (compat == ACL_COMPAT_WINNT);
-}
-
-
-/****************************************************************************
Map canon_ace perms to permission bits NT.
The attr element is not used here - we only process deny entries on set,
not get. Deny entries are implicit on get with ace->perms = 0.
@@ -1107,10 +1089,7 @@ uint32_t map_canon_ace_perms(int snum,
* to be changed in the future.
*/
- if (nt4_compatible_acls())
- nt_mask = UNIX_ACCESS_NONE;
- else
- nt_mask = 0;
+ nt_mask = 0;
} else {
if (directory_ace) {
nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R
: 0 );
@@ -1954,26 +1933,6 @@ static bool create_canon_ace_lists(files_struct *fsp,
DEBUG(3,("create_canon_ace_lists: unable to set
anything but an ALLOW or DENY ACE.\n"));
return False;
}
-
- if (nt4_compatible_acls()) {
- /*
- * The security mask may be UNIX_ACCESS_NONE which
should map into
- * no permissions (we overload the WRITE_OWNER bit for
this) or it
- * should be one of the ALL/EXECUTE/READ/WRITE bits.
Arrange for this
- * to be so. Any other bits override the
UNIX_ACCESS_NONE bit.
- */
-
- /*
- * Convert GENERIC bits to specific bits.
- */
-
- se_map_generic(&psa->access_mask,
&file_generic_mapping);
-
- psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
-
- if(psa->access_mask != UNIX_ACCESS_NONE)
- psa->access_mask &= ~UNIX_ACCESS_NONE;
- }
}
/*
@@ -3164,22 +3123,6 @@ static bool set_canon_ace_list(files_struct *fsp,
}
/****************************************************************************
- Find a particular canon_ace entry.
-****************************************************************************/
-
-static struct canon_ace *canon_ace_entry_for(struct canon_ace *list,
SMB_ACL_TAG_T type, struct unixid *id)
-{
- while (list) {
- if (list->type == type && ((type != SMB_ACL_USER && type !=
SMB_ACL_GROUP) ||
- (type == SMB_ACL_USER && id && id->id ==
list->unix_ug.id) ||
- (type == SMB_ACL_GROUP && id && id->id ==
list->unix_ug.id)))
- break;
- list = list->next;
- }
- return list;
-}
-
-/****************************************************************************
****************************************************************************/
@@ -3461,55 +3404,6 @@ static NTSTATUS posix_get_nt_acl_common(struct
connection_struct *conn,
canon_ace *ace;
enum security_ace_type nt_acl_type;
- if (nt4_compatible_acls() && dir_ace) {
- /*
- * NT 4 chokes if an ACL contains an
INHERIT_ONLY entry
- * but no non-INHERIT_ONLY entry for one SID.
So we only
- * remove entries from the Access ACL if the
- * corresponding Default ACL entries have also
been
- * removed. ACEs for CREATOR-OWNER and
CREATOR-GROUP
- * are exceptions. We can do nothing
- * intelligent if the Default ACL contains
entries that
- * are not also contained in the Access ACL, so
this
- * case will still fail under NT 4.
- */
-
- ace = canon_ace_entry_for(dir_ace,
SMB_ACL_OTHER, NULL);
- if (ace && !ace->perms) {
- DLIST_REMOVE(dir_ace, ace);
- TALLOC_FREE(ace);
-
- ace = canon_ace_entry_for(file_ace,
SMB_ACL_OTHER, NULL);
- if (ace && !ace->perms) {
- DLIST_REMOVE(file_ace, ace);
- TALLOC_FREE(ace);
- }
- }
-
- /*
- * WinNT doesn't usually have Creator Group
- * in browse lists, so we send this entry to
- * WinNT even if it contains no relevant
- * permissions. Once we can add
- * Creator Group to browse lists we can
- * re-enable this.
- */
-
-#if 0
- ace = canon_ace_entry_for(dir_ace,
SMB_ACL_GROUP_OBJ, NULL);
- if (ace && !ace->perms) {
- DLIST_REMOVE(dir_ace, ace);
- TALLOC_FREE(ace);
- }
-#endif
-
- ace = canon_ace_entry_for(file_ace,
SMB_ACL_GROUP_OBJ, NULL);
- if (ace && !ace->perms) {
- DLIST_REMOVE(file_ace, ace);
- TALLOC_FREE(ace);
- }
- }
-
num_acls = count_canon_ace_list(file_ace);
num_def_acls = count_canon_ace_list(dir_ace);
@@ -4963,30 +4857,34 @@ bool set_unix_posix_acl(connection_struct *conn,
files_struct *fsp, const char *
check. Caller is responsible for freeing the returned security
descriptor via TALLOC_FREE(). This is designed for dealing with
user space access checks in smbd outside of the VFS. For example,
- checking access rights in OpenEventlog().
+ checking access rights in OpenEventlog() or from python.
- Assume we are dealing with files (for now)
********************************************************************/
-struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char
*fname, uint32 security_info_wanted)
+NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx, const char *fname,
+ uint32 security_info_wanted,
+ struct security_descriptor **sd)
{
- struct security_descriptor *ret_sd;
- connection_struct *conn;
- files_struct finfo;
- struct fd_handle fh;
- NTSTATUS status;
TALLOC_CTX *frame = talloc_stackframe();
+ connection_struct *conn;
+ NTSTATUS status = NT_STATUS_OK;
+
+ if (!posix_locking_init(false)) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
conn = talloc_zero(frame, connection_struct);
if (conn == NULL) {
+ TALLOC_FREE(frame);
DEBUG(0, ("talloc failed\n"));
- return NULL;
+ return NT_STATUS_NO_MEMORY;
}
if (!(conn->params = talloc(conn, struct share_params))) {
- DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n"));
+ DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(frame);
- return NULL;
+ return NT_STATUS_NO_MEMORY;
}
conn->params->service = -1;
@@ -4994,43 +4892,21 @@ struct security_descriptor *get_nt_acl_no_snum(
TALLOC_CTX *ctx, const char *fna
set_conn_connectpath(conn, "/");
if (!smbd_vfs_init(conn)) {
- DEBUG(0,("get_nt_acl_no_snum: Unable to create a fake
connection struct!\n"));
- conn_free(conn);
+ DEBUG(0,("smbd_vfs_init() failed!\n"));
TALLOC_FREE(frame);
- return NULL;
- }
-
- ZERO_STRUCT( finfo );
- ZERO_STRUCT( fh );
-
- finfo.fnum = FNUM_FIELD_INVALID;
- finfo.conn = conn;
- finfo.fh = &fh;
- finfo.fh->fd = -1;
-
- status = create_synthetic_smb_fname(frame, fname, NULL, NULL,
- &finfo.fsp_name);
- if (!NT_STATUS_IS_OK(status)) {
- conn_free(conn);
- TALLOC_FREE(frame);
- return NULL;
+ return NT_STATUS_INTERNAL_ERROR;
}
- if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo,
- security_info_wanted,
- ctx, &ret_sd))) {
- DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n"));
- TALLOC_FREE(finfo.fsp_name);
- conn_free(conn);
- TALLOC_FREE(frame);
- return NULL;
+ status = SMB_VFS_GET_NT_ACL(conn, fname, security_info_wanted, ctx, sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n",
+ nt_errstr(status)));
}
- TALLOC_FREE(finfo.fsp_name);
conn_free(conn);
TALLOC_FREE(frame);
- return ret_sd;
+ return status;
}
/* Stolen shamelessly from pvfs_default_acl() in source4 :-). */
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 221499c..f95fddd 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -703,7 +703,6 @@ void reply_pipe_read_and_X(struct smb_request *req);
/* The following definitions come from smbd/posix_acls.c */
void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid
*powner_sid, struct dom_sid *pgroup_sid);
-bool nt4_compatible_acls(void);
uint32_t map_canon_ace_perms(int snum,
enum security_ace_type *pacl_type,
mode_t perms,
@@ -732,7 +731,8 @@ bool set_unix_posix_default_acl(connection_struct *conn,
const char *fname,
const SMB_STRUCT_STAT *psbuf,
uint16 num_def_acls, const char *pdata);
bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char
*fname, uint16 num_acls, const char *pdata);
-struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char
*fname, uint32 security_info_wanted);
+NTSTATUS get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32
security_info_wanted,
+ struct security_descriptor **sd);
NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
const char *name,
SMB_STRUCT_STAT *psbuf,
diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c
index 6a6a812..42694cb 100644
--- a/source3/smbd/pysmbd.c
+++ b/source3/smbd/pysmbd.c
@@ -89,7 +89,7 @@ static NTSTATUS set_nt_acl_no_snum(const char *fname,
NTSTATUS status = NT_STATUS_OK;
files_struct *fsp;
struct smb_filename *smb_fname = NULL;
- int flags;
+ int flags, ret;
mode_t saved_umask;
if (!posix_locking_init(false)) {
@@ -160,6 +160,29 @@ static NTSTATUS set_nt_acl_no_snum(const char *fname,
return NT_STATUS_UNSUCCESSFUL;
}
+ ret = SMB_VFS_FSTAT(fsp, &smb_fname->st);
+ if (ret == -1) {
+ /* If we have an fd, this stat should succeed. */
+ DEBUG(0,("Error doing fstat on open file %s "
+ "(%s)\n",
+ smb_fname_str_dbg(smb_fname),
+ strerror(errno) ));
+ TALLOC_FREE(frame);
+ umask(saved_umask);
+ return map_nt_error_from_unix(errno);
+ }
+
+ fsp->file_id = vfs_file_id_from_sbuf(conn, &smb_fname->st);
+ fsp->vuid = UID_FIELD_INVALID;
+ fsp->file_pid = 0;
+ fsp->can_lock = True;
+ fsp->can_read = True;
+ fsp->can_write = True;
+ fsp->print_file = NULL;
+ fsp->modified = False;
+ fsp->sent_oplock_break = NO_BREAK_SENT;
+ fsp->is_directory = S_ISDIR(smb_fname->st.st_ex_mode);
+
status = SMB_VFS_FSET_NT_ACL( fsp, security_info_sent, sd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n",
nt_errstr(status)));
@@ -472,11 +495,13 @@ static PyObject *py_smbd_get_nt_acl(PyObject *self,
PyObject *args)
PyObject *py_sd;
struct security_descriptor *sd;
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ NTSTATUS status;
if (!PyArg_ParseTuple(args, "si", &fname, &security_info_wanted))
return NULL;
- sd = get_nt_acl_no_snum(tmp_ctx, fname, security_info_wanted);
+ status = get_nt_acl_no_snum(tmp_ctx, fname, security_info_wanted, &sd);
+ PyErr_NTSTATUS_IS_ERR_RAISE(status);
py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd,
sd);
diff --git a/source3/torture/cmd_vfs.c b/source3/torture/cmd_vfs.c
index a37c9fc..64b1b50 100644
--- a/source3/torture/cmd_vfs.c
+++ b/source3/torture/cmd_vfs.c
@@ -1524,7 +1524,7 @@ static NTSTATUS cmd_set_nt_acl(struct vfs_state *vfs,
TALLOC_CTX *mem_ctx, int a
fsp->print_file = NULL;
fsp->modified = False;
fsp->sent_oplock_break = NO_BREAK_SENT;
- fsp->is_directory = False;
+ fsp->is_directory = S_ISDIR(smb_fname->st.st_ex_mode);
sd = sddl_decode(talloc_tos(), argv[2], get_global_sam_sid());
diff --git a/source4/libcli/pysmb.c b/source4/libcli/pysmb.c
index 1122305..fb981c7 100644
--- a/source4/libcli/pysmb.c
+++ b/source4/libcli/pysmb.c
@@ -317,10 +317,11 @@ static PyObject *py_smb_getacl(pytalloc_Object *self,
PyObject *args, PyObject *
union smb_fileinfo fio;
struct smb_private_data *spdata;
const char *filename;
- int sinfo = 0;
+ uint32_t sinfo = 0;
+ int access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
int fnum;
- if (!PyArg_ParseTuple(args, "s|i:get_acl", &filename, &sinfo)) {
+ if (!PyArg_ParseTuple(args, "s|Ii:get_acl", &filename, &sinfo,
&access_mask)) {
return NULL;
}
@@ -331,7 +332,7 @@ static PyObject *py_smb_getacl(pytalloc_Object *self,
PyObject *args, PyObject *
io.generic.level = RAW_OPEN_NTCREATEX;
io.ntcreatex.in.root_fid.fnum = 0;
io.ntcreatex.in.flags = 0;
- io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ io.ntcreatex.in.access_mask = access_mask;
io.ntcreatex.in.create_options = 0;
io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 1519631..4e9c1ac 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -330,6 +330,7 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs,
}
sd->owner_sid = new_sd->owner_sid;
}
+
if (secinfo_flags & SECINFO_GROUP) {
if (!(access_mask & SEC_STD_WRITE_OWNER)) {
return NT_STATUS_ACCESS_DENIED;
@@ -349,19 +350,39 @@ NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs,
}
sd->group_sid = new_sd->group_sid;
}
+
if (secinfo_flags & SECINFO_DACL) {
if (!(access_mask & SEC_STD_WRITE_DAC)) {
return NT_STATUS_ACCESS_DENIED;
}
sd->dacl = new_sd->dacl;
pvfs_translate_generic_bits(sd->dacl);
+ sd->type |= SEC_DESC_DACL_PRESENT;
}
+
if (secinfo_flags & SECINFO_SACL) {
if (!(access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
--
Samba Shared Repository
