s3:smbd: fix posix acls when setting an ACL without explicit ACE for the owner (bug...

The problem of bug #2346 remains for users exported by
winbindd, because create_token_from_username() just fakes
the token when the user is not in the local sam domain. This causes
user_in_group_sid() to give totally wrong results.
In uid_entry_in_group() we need to check if we already
have the full unix token in the current_user struct.
If so we should use the current_user unix token,
instead of doing a very complex user_in_group_sid()
which doesn't give reliable results anyway.

metze

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index bc96838a09aa85d052f6c821459da9d1f44fd1cd..abfb00c44c057f44a34bad789dfa4ce04015a876 100644 (file)
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1273,16 +1273,31 @@ static bool uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace )
        if (sid_equal(&group_ace->trustee, &global_sid_World))
                return True;
 
-       /* Assume that the current user is in the current group (force group) */
+       /*
+        * if it's the current user, we already have the unix token
+        * and don't need to do the complex user_in_group_sid() call
+        */
+       if (uid_ace->unix_ug.uid == current_user.ut.uid) {
+               size_t i;
 
-       if (uid_ace->unix_ug.uid == current_user.ut.uid && group_ace->unix_ug.gid == current_user.ut.gid)
-               return True;
+               if (group_ace->unix_ug.gid == current_user.ut.gid) {
+                       return True;
+               }
+
+               for (i=0; i < current_user.ut.ngroups; i++) {
+                       if (group_ace->unix_ug.gid == current_user.ut.groups[i]) {
+                               return True;
+                       }
+               }
+       }
 
        /* u_name talloc'ed off tos. */
        u_name = uidtoname(uid_ace->unix_ug.uid);
        if (!u_name) {
                return False;
        }
+
+       /* notice that this is not reliable for users exported by winbindd! */
        return user_in_group_sid(u_name, &group_ace->trustee);
 }