s3:smbd/open: fall back to Builtin_Administrators if SYSTEM doesn't map to a group

[kai/samba.git] / source3 / smbd / open.c

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 03e8feb30261a4040fd5243d5e207b92ffd07593..be8d31b13bd9957cd7b2b1e45692bf1a9498923e 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3462,6 +3462,10 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
        bool inheritable_components = false;
        bool try_builtin_administrators = false;
        const struct dom_sid *BA_U_sid = NULL;
+       const struct dom_sid *BA_G_sid = NULL;
+       bool try_system = false;
+       const struct dom_sid *SY_U_sid = NULL;
+       const struct dom_sid *SY_G_sid = NULL;
        size_t size = 0;
 
        if (!parent_dirname(frame, fsp->fsp_name->base_name, &parent_name, NULL)) {
@@ -3507,6 +3511,16 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
                        try_builtin_administrators = true;
                } else if (security_token_is_system(token)) {
                        try_builtin_administrators = true;
+                       try_system = true;
+               }
+       }
+
+       if (group_sid == NULL &&
+           token->num_sids == PRIMARY_GROUP_SID_INDEX)
+       {
+               if (security_token_is_system(token)) {
+                       try_builtin_administrators = true;
+                       try_system = true;
                }
        }
 
@@ -3520,10 +3534,38 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
                        switch (ids.type) {
                        case ID_TYPE_BOTH:
                                BA_U_sid = &global_sid_Builtin_Administrators;
+                               BA_G_sid = &global_sid_Builtin_Administrators;
                                break;
                        case ID_TYPE_UID:
                                BA_U_sid = &global_sid_Builtin_Administrators;
                                break;
+                       case ID_TYPE_GID:
+                               BA_G_sid = &global_sid_Builtin_Administrators;
+                               break;
+                       default:
+                               break;
+                       }
+               }
+       }
+
+       if (try_system) {
+               struct unixid ids;
+               bool ok;
+
+               ZERO_STRUCT(ids);
+               ok = sids_to_unixids(&global_sid_System, 1, &ids);
+               if (ok) {
+                       switch (ids.type) {
+                       case ID_TYPE_BOTH:
+                               SY_U_sid = &global_sid_System;
+                               SY_G_sid = &global_sid_System;
+                               break;
+                       case ID_TYPE_UID:
+                               SY_U_sid = &global_sid_System;
+                               break;
+                       case ID_TYPE_GID:
+                               SY_G_sid = &global_sid_System;
+                               break;
                        default:
                                break;
                        }
@@ -3534,6 +3576,18 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
                owner_sid = BA_U_sid;
        }
 
+       if (owner_sid == NULL) {
+               owner_sid = SY_U_sid;
+       }
+
+       if (group_sid == NULL) {
+               group_sid = SY_G_sid;
+       }
+
+       if (try_system && group_sid == NULL) {
+               group_sid = BA_G_sid;
+       }
+
        if (owner_sid == NULL) {
                owner_sid = &token->sids[PRIMARY_USER_SID_INDEX];
        }